Death by a Thousand Gzips: The Node.js Undici Decompression Loop
Vulnerability ID: CVE-2026-22036
CVSS Score: 3.7
Published: 2026-01-14
A resource exhaustion vulnerability in the Undici HTTP client allows malicious servers to crash Node.js applications by supplying an excessive number of compression layers in the Content-Encoding header.
TL;DR
Undici, the engine behind Node.js's native fetch(), failed to limit the number of decompression steps it would perform on a response. By sending a header like Content-Encoding: gzip, gzip, ... repeated thousands of times, an attacker can force the client to allocate thousands of stream objects, leading to high CPU usage and eventual process crashes (DoS). The fix introduces a hard limit of 5 encoding layers.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network
- CVSS: 3.7 (Low)
- Impact: Denial of Service (DoS)
- Component: lib/interceptor/decompress.js
- Limit Introduced: 5 Encodings
Affected Systems
- Node.js Applications using global fetch()
- Undici (v7.x < 7.18.0)
- Undici (v6.x < 6.23.0)
-
Undici: >= 7.0.0, < 7.18.0 (Fixed in:
7.18.0) -
Undici: < 6.23.0 (Fixed in:
6.23.0)
Code Analysis
Commit: b04e3cb
Limit content-encodings to 5
const maxContentEncodings = 5
if (parts.length > maxContentEncodings) {
throw new Error(`too many content-encodings...`)
}
Exploit Details
- Theory: Theoretical exploit via Flask server sending repeated gzip headers
Mitigation Strategies
- Limit the number of accepted Content-Encoding headers.
- Enforce timeouts on external HTTP requests.
- Monitor process memory usage for sudden spikes.
Remediation Steps:
- Update Undici to version 7.18.0 or 6.23.0.
- Update Node.js to the latest patch version which includes the bundled Undici fix.
- Audit application logic for SSRF vulnerabilities that permit connections to untrusted servers.
References
Read the full report for CVE-2026-22036 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)