Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1528

CVE-2026-1528: undici WebSocket DoS Vulnerability

CVE-2026-1528 is a denial of service flaw in undici's WebSocket parser that causes process termination through ByteParser overflow. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-1528 Overview

CVE-2026-1528 is an Integer Overflow vulnerability in the Node.js Undici HTTP client library that affects WebSocket frame processing. A malicious server can respond with a WebSocket frame using the 64-bit length form and an extremely large length value, causing undici's ByteParser to overflow internal math operations. This results in an invalid parser state that throws a fatal TypeError, terminating the Node.js process.

Critical Impact

This vulnerability enables remote attackers to crash Node.js applications using Undici for WebSocket connections, resulting in complete denial of service through a single malicious server response.

Affected Products

  • Node.js Undici versions prior to v7.24.0
  • Node.js Undici versions prior to v6.24.0

Discovery Timeline

  • 2026-03-12 - CVE CVE-2026-1528 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-1528

Vulnerability Analysis

The vulnerability resides in Undici's ByteParser component, which handles WebSocket frame parsing. WebSocket frames can specify payload length using different formats: a 7-bit length for small payloads, a 16-bit extended length, or a 64-bit extended length for large payloads. When a malicious server sends a WebSocket frame with the 64-bit length form containing an extremely large value, the ByteParser performs arithmetic operations that overflow JavaScript's safe integer boundaries.

This integer overflow corrupts the internal state of the parser, placing it in an invalid configuration that cannot be recovered. When the parser attempts to continue processing, it encounters unexpected state conditions that trigger a fatal TypeError exception. In Node.js, an uncaught TypeError in this context causes the entire process to terminate immediately.

Root Cause

The root cause is classified as CWE-248 (Uncaught Exception). The ByteParser does not properly validate the 64-bit length value before performing arithmetic operations. When the length exceeds safe integer bounds (2^53-1 in JavaScript), the resulting calculations produce incorrect values. The parser then enters an invalid internal state that was not anticipated by exception handling, causing an uncaught TypeError that propagates up and terminates the process.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker must control or compromise a WebSocket server that a vulnerable Undici client connects to. When the client initiates a WebSocket connection, the malicious server responds with a crafted WebSocket frame containing an oversized 64-bit length value in the frame header. This triggers the integer overflow in the ByteParser during frame processing.

The attack sequence involves:

  1. A victim application using Undici establishes a WebSocket connection to an attacker-controlled server
  2. The server responds with a WebSocket frame specifying an extremely large 64-bit payload length
  3. Undici's ByteParser attempts to process the frame and overflows during length calculations
  4. The parser enters an invalid state and throws a TypeError
  5. The Node.js process terminates due to the uncaught exception

For detailed technical analysis, see the GitHub Security Advisory GHSA-f269-vfmq-vjvj.

Detection Methods for CVE-2026-1528

Indicators of Compromise

  • Unexpected Node.js process crashes with TypeError exceptions in WebSocket-related code paths
  • Application logs showing fatal errors in ByteParser or WebSocket frame processing functions
  • Service availability disruptions following WebSocket connections to external servers
  • Core dumps or error reports indicating integer overflow conditions in Undici modules

Detection Strategies

  • Monitor application logs for TypeError exceptions originating from Undici's ByteParser module
  • Implement process monitoring to detect abnormal terminations of Node.js services
  • Deploy network monitoring to identify WebSocket frames with unusually large length values in the header
  • Use application performance monitoring (APM) tools to track WebSocket connection failures and process restarts

Monitoring Recommendations

  • Configure alerting for Node.js process crashes, particularly those with TypeError in the stack trace
  • Implement health checks that detect service unavailability after WebSocket operations
  • Monitor for patterns of repeated crashes that may indicate active exploitation attempts
  • Track WebSocket connection destinations to identify potentially malicious servers

How to Mitigate CVE-2026-1528

Immediate Actions Required

  • Upgrade Undici to version v7.24.0 or later for the 7.x branch
  • Upgrade Undici to version v6.24.0 or later for the 6.x branch
  • Review application dependencies to identify all packages using Undici as a transitive dependency
  • Implement process supervision to automatically restart crashed Node.js applications

Patch Information

The vulnerability has been patched in Undici versions v7.24.0 and v6.24.0. Users should upgrade to these versions or later to address the vulnerability. The patches add proper validation of 64-bit WebSocket frame lengths before arithmetic operations, preventing the integer overflow condition.

For official patch information, refer to the GitHub Security Advisory GHSA-f269-vfmq-vjvj and the OpenJSF Security Advisories.

Workarounds

  • Limit WebSocket connections to trusted, known servers only where possible
  • Implement process managers like PM2 or systemd to automatically restart crashed Node.js processes
  • Consider using a reverse proxy or WebSocket gateway that validates frame headers before forwarding to the application
  • Add application-level exception handlers around WebSocket operations, though this may not catch all crash scenarios
bash
# Update Undici to patched version
npm update undici@^7.24.0

# Or for the 6.x branch
npm update undici@^6.24.0

# Verify installed version
npm list undici

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne