DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-12151: CVE-2026-12151: Denial of Service via Uncontrolled Fragment Buffering in Undici WebSocket Client

#security #cve #cybersecurity

CVE-2026-12151: Denial of Service via Uncontrolled Fragment Buffering in Undici WebSocket Client

Vulnerability ID: CVE-2026-12151
CVSS Score: 7.5
Published: 2026-06-19

A high-severity denial of service vulnerability in the undici WebSocket client (CVE-2026-12151) arises from uncontrolled memory consumption. Although undici validates individual fragment sizes against a cumulative payload limit, it fails to cap the total number of frames in a single message stream. This allows a rogue or compromised WebSocket server to send an infinite sequence of small or empty continuation frames, causing unbounded memory allocation and eventual heap exhaustion on the client process.

TL;DR

The undici WebSocket client does not limit the number of continuation frames per message, enabling a malicious server to crash the client process via heap exhaustion using infinite zero-byte fragments.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400, CWE-770
  • Attack Vector: Network (AV:N)
  • CVSS v3.1 Score: 7.5 (High)
  • EPSS Score: 0.00284 (Percentile: 19.97%)
  • Impact: Denial of Service (OOM Crash)
  • Exploit Status: PoC available, no active wild exploitation
  • KEV Status: Not listed

Affected Systems

  • undici WebSocket client
  • Node.js applications utilizing undici
  • undici: >= 6.17.0 < 6.26.0 (Fixed in: 6.26.0)
  • undici: >= 7.0.0 < 7.28.0 (Fixed in: 7.28.0)
  • undici: >= 8.0.0 < 8.5.0 (Fixed in: 8.5.0)

Mitigation Strategies

  • Upgrade to patched undici releases
  • Limit client-side WebSocket connections to trusted domains
  • Deploy external process managers (such as systemd, PM2) with auto-restart policies

Remediation Steps:

  1. Identify vulnerable undici installations via 'npm ls undici'
  2. Update dependency requirements in package.json to >= 6.26.0, >= 7.28.0, or >= 8.5.0
  3. Execute 'npm install' or equivalent to apply the patch
  4. Verify correct resolution via 'npm ls undici' and redeploy

References

Read the full report for CVE-2026-12151 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)