CVE-2026-12151 Overview
CVE-2026-12151 is a denial-of-service vulnerability in the undici HTTP/WebSocket client library for Node.js. The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments within a message but does not cap the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation. Collectively, these frames cause unbounded memory growth in the client process, leading to memory exhaustion and a denial of service. The flaw is tracked as [CWE-400] Uncontrolled Resource Consumption and affects all undici releases starting at 6.17.0.
Critical Impact
A remote, unauthenticated attacker controlling a WebSocket endpoint can exhaust client memory and crash any Node.js application using the undici WebSocket client or WebSocketStream API.
Affected Products
- undici versions 6.17.0 through versions prior to 6.26.0
- undici 7.x versions prior to 7.28.0
- undici 8.x versions prior to 8.5.0
Discovery Timeline
- 2026-06-17 - CVE-2026-12151 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12151
Vulnerability Analysis
The undici WebSocket client processes RFC 6455 frames and reassembles fragmented messages from continuation frames. The implementation validates two boundaries: the size of each individual frame, and the cumulative size of bytes accumulated across all fragments in a single message. Both checks compare byte totals against the maxPayloadSize setting.
The client does not validate the count of fragments composing a message. An attacker can send an arbitrary number of empty or near-empty continuation frames without ever tripping the cumulative byte limit. Each fragment is retained in memory while the client awaits the final frame, allowing memory consumption to grow linearly with the attacker's frame count.
The issue is exploitable against any Node.js process that initiates a WebSocket connection to an attacker-controlled or compromised endpoint via new WebSocket(...) or the WebSocketStream API. The result is process termination through memory exhaustion.
Root Cause
The root cause is missing input validation on the structural properties of a WebSocket message. The fragment accumulator tracks bytes but not the number of buffered fragments. A zero-length payload contributes nothing to the byte counter, so attacker-controlled frame counts have no upper bound. Standard maxPayloadSize configuration provides no defense.
Attack Vector
Exploitation requires the victim application to connect to an attacker-controlled WebSocket server. This can occur in proxy, scraper, federated chat, IoT gateway, or webhook-style architectures. The attacker accepts the connection, then streams continuation frames with empty payloads until the client process exhausts heap memory. No authentication, user interaction, or special privileges are required, and the attack vector is purely network-based.
No proof-of-concept code is published with the advisory. Refer to the GitHub Security Advisory GHSA-vxpw-j846-p89q for additional technical context.
Detection Methods for CVE-2026-12151
Indicators of Compromise
- Node.js processes terminating with JavaScript heap out of memory or FATAL ERROR: Reached heap limit Allocation failed messages after WebSocket activity.
- Sustained heap growth in application telemetry that correlates with active outbound WebSocket sessions.
- Anomalously high counts of WebSocket continuation frames (opcode 0x0) recorded against a single message identifier.
Detection Strategies
- Inventory dependencies with npm ls undici and npm audit to identify direct and transitive usage of vulnerable undici versions.
- Inspect package manifests and lockfiles across repositories for undici versions in the affected range (>= 6.17.0 and below the patched releases).
- Instrument the WebSocket pipeline to record fragment counts per message and alert when a single message exceeds an expected threshold.
Monitoring Recommendations
- Track resident set size (RSS) and V8 heap metrics for Node.js services that establish outbound WebSocket connections.
- Log outbound WebSocket destinations and alert on connections to untrusted or newly observed endpoints.
- Forward Node.js crash logs and process-restart events to a centralized logging platform for correlation with WebSocket traffic.
How to Mitigate CVE-2026-12151
Immediate Actions Required
- Upgrade undici to a fixed release: >= 6.26.0, >= 7.28.0, or >= 8.5.0.
- Rebuild and redeploy all services that bundle undici directly or as a transitive dependency, including Node.js applications that ship their own node_modules.
- Restrict outbound WebSocket connections to a known allowlist of trusted endpoints where business logic permits.
Patch Information
The maintainers shipped fixes in undici 6.26.0, 7.28.0, and 8.5.0. The patches add enforcement on the number of fragments accumulated for a single WebSocket message in addition to the existing cumulative byte check. Patch details and advisory references are published in the GitHub Security Advisory GHSA-vxpw-j846-p89q and the OpenJSF Security Advisories.
Workarounds
- No configuration-based workaround is available. The advisory states the fix must be applied through an upgrade.
- As a defense-in-depth measure, route outbound WebSocket traffic through an egress proxy that enforces destination allowlists and connection quotas until upgrades complete.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
