The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1526

CVE-2026-1526: Undici WebSocket Client DoS Vulnerability

CVE-2026-1526 is a denial-of-service vulnerability in undici WebSocket client caused by unbounded memory consumption during permessage-deflate decompression. This article covers technical details, impact, and mitigation.

Published: March 13, 2026

CVE-2026-1526 Overview

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

Critical Impact

A malicious WebSocket server can send specially crafted compressed frames that expand to massive sizes in memory, causing complete denial of service through memory exhaustion in Node.js applications using the undici WebSocket client.

Affected Products

  • undici WebSocket client (versions with permessage-deflate support)
  • Node.js applications using undici for WebSocket connections
  • Services implementing WebSocket clients with permessage-deflate extension negotiation

Discovery Timeline

  • 2026-03-12 - CVE-2026-1526 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-1526

Vulnerability Analysis

This vulnerability is classified as CWE-409 (Improper Handling of Highly Compressed Data), commonly known as a decompression bomb or "zip bomb" attack. The undici WebSocket client implements the permessage-deflate extension as defined in IETF RFC 7692, which allows WebSocket frames to be compressed using the DEFLATE algorithm to reduce bandwidth consumption.

The fundamental flaw lies in the absence of size validation during the decompression process. When the WebSocket client receives a compressed frame, it passes the data to the PerMessageDeflate.decompress() method. This method decompresses the incoming data in chunks and accumulates all decompressed chunks in memory before concatenating them into a single Buffer. At no point does the implementation verify whether the cumulative decompressed size exceeds safe memory boundaries.

An attacker controlling a malicious WebSocket server can craft a small compressed payload (potentially only a few kilobytes) that decompresses to gigabytes of data. Since the decompression happens synchronously in memory and the client has no awareness of the final decompressed size until the entire operation completes, the Node.js process rapidly consumes all available memory, leading to process termination or system-wide instability.

Root Cause

The root cause is the missing size validation in the PerMessageDeflate.decompress() method. The implementation unconditionally accumulates all decompressed data chunks without enforcing a maximum decompressed size threshold. This design oversight allows attackers to exploit the inherent compression ratio asymmetry of the DEFLATE algorithm, where highly repetitive data can achieve compression ratios exceeding 1000:1.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker must operate or compromise a WebSocket server that the vulnerable client connects to. The attack sequence involves:

  1. The client initiates a WebSocket connection and negotiates the permessage-deflate extension
  2. The malicious server accepts the connection and extension negotiation
  3. The server sends a small, highly compressed WebSocket frame containing repetitive data
  4. The client's PerMessageDeflate.decompress() method begins decompression
  5. The decompressed data rapidly fills available memory
  6. The Node.js process crashes due to memory exhaustion or becomes unresponsive

The vulnerability is particularly severe because clients connecting to untrusted WebSocket endpoints have no defense against this attack without patching or disabling the permessage-deflate extension entirely.

Detection Methods for CVE-2026-1526

Indicators of Compromise

  • Sudden spikes in Node.js process memory consumption when handling WebSocket connections
  • Node.js processes crashing with out-of-memory errors during WebSocket communication
  • Abnormally small WebSocket frames received from servers that trigger high memory allocation
  • WebSocket connections with permessage-deflate negotiation from untrusted endpoints

Detection Strategies

  • Monitor Node.js process memory utilization and set alerts for rapid memory consumption increases
  • Implement application-level logging to track WebSocket frame sizes before and after decompression
  • Use runtime protection tools that can detect and terminate processes exhibiting resource exhaustion patterns
  • Deploy network monitoring to identify unusually small WebSocket frames from external servers

Monitoring Recommendations

  • Configure memory limits for Node.js processes using --max-old-space-size to prevent system-wide impact
  • Implement health checks that can detect and restart unresponsive Node.js processes
  • Review WebSocket connection logs for connections to untrusted or newly observed endpoints
  • Enable SentinelOne's runtime application protection to detect abnormal memory allocation patterns

How to Mitigate CVE-2026-1526

Immediate Actions Required

  • Update undici to a patched version that includes decompression size limits
  • Disable the permessage-deflate extension on WebSocket connections to untrusted servers as a temporary workaround
  • Review and restrict which external WebSocket endpoints your applications connect to
  • Implement process-level memory limits to contain the blast radius of potential exploitation

Patch Information

Refer to the GitHub Security Advisory GHSA-vrm6-8vpv-qv8q for official patch information and fixed versions. The OpenJS Security Advisories page provides additional guidance on securing Node.js applications. The vulnerability was also reported via HackerOne Report #3481206.

Workarounds

  • Disable permessage-deflate extension negotiation when creating WebSocket clients connecting to untrusted endpoints
  • Implement a reverse proxy or WebSocket gateway that can inspect and limit decompressed frame sizes before forwarding to backend services
  • Set strict memory limits on Node.js processes using container resource constraints or the --max-old-space-size flag
  • Consider implementing custom decompression wrappers with size validation until official patches are applied
bash
# Configuration example - Set Node.js memory limits to contain resource exhaustion
# Limit Node.js process to 512MB of heap memory
node --max-old-space-size=512 your-application.js

# For containerized deployments, set memory limits in Docker
# docker run --memory="1g" --memory-swap="1g" your-node-app

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechNodejs
  • SeverityHIGH
  • CVSS Score7.5
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-409
  • Technical References
  • OpenJS Security Advisories
  • IETF RFC 7692 Document
  • GitHub Security Advisory GHSA-vrm6-8vpv-qv8q
  • HackerOne Report #3481206
  • Related CVEs
  • CVE-2026-21712: Node.js URL Processing DoS Vulnerability
  • CVE-2026-21710: Node.js HTTP DOS Vulnerability
  • CVE-2026-21714: Node.js HTTP/2 Memory Leak DoS Vulnerability
  • CVE-2026-25547: @isaacs/brace-expansion DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English