CVE-2026-2229 Overview
The undici WebSocket client contains a denial-of-service vulnerability stemming from improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can exploit this by responding with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
Critical Impact
A malicious WebSocket server can crash any Node.js application using the undici WebSocket client by sending an invalid compression parameter, causing immediate process termination without recovery.
Affected Products
- Undici WebSocket client (Node.js HTTP/1.1 client)
- Node.js applications using undici for WebSocket connections with permessage-deflate compression
- Applications connecting to untrusted WebSocket servers via undici
Discovery Timeline
- 2026-03-12 - CVE CVE-2026-2229 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-2229
Vulnerability Analysis
This vulnerability is classified under CWE-248 (Uncaught Exception), affecting the undici WebSocket client's handling of the permessage-deflate WebSocket extension. The vulnerability exists in the compression negotiation and initialization process when establishing WebSocket connections.
The permessage-deflate extension, defined in IETF RFC 7692, allows WebSocket endpoints to negotiate compression parameters. The server_max_window_bits parameter specifies the LZ77 sliding window size that the server will use for compression. According to the zlib specification and the RFC, valid values for this parameter are strictly within the range of 8-15.
The vulnerability manifests because the undici client fails to properly validate this parameter before using it to initialize the decompression context. When a malicious server sends a value outside the valid range, the Node.js zlib module throws a synchronous RangeError that propagates uncaught through the call stack.
Root Cause
The root cause of this vulnerability involves three compounding factors in the undici WebSocket implementation:
Insufficient Validation Logic: The isValidClientWindowBits() function only validates that the value contains ASCII digits, but does not verify that the numeric value falls within the valid range of 8-15 as required by the zlib specification.
Missing Exception Handling: The createInflateRaw() call that initializes the zlib decompression context is not wrapped in a try-catch block, leaving synchronous exceptions unhandled.
Fatal Exception Propagation: The resulting RangeError exception propagates up through the call stack without being caught, causing the Node.js process to terminate immediately.
This combination of validation bypass and missing error handling creates a reliable denial-of-service vector.
Attack Vector
The attack can be executed by any entity capable of operating a malicious WebSocket server. The attack flow proceeds as follows:
- The victim application initiates a WebSocket connection to a malicious or compromised server using the undici WebSocket client
- The client advertises support for permessage-deflate compression in the connection upgrade request
- The malicious server responds with a Sec-WebSocket-Extensions header containing an invalid server_max_window_bits value (e.g., 0, 1, 16, or any value outside 8-15)
- The client accepts the extension negotiation without validating the parameter range
- When the server sends a compressed message frame, the client attempts to create an InflateRaw instance with the invalid windowBits value
- The zlib module throws a synchronous RangeError that is not caught
- The Node.js process terminates immediately
The attack requires no authentication and can be triggered on the first compressed message after the WebSocket handshake completes. For more technical details, see the GitHub Security Advisory GHSA-v9p9-hfj2-hcw8 and the HackerOne Vulnerability Report.
Detection Methods for CVE-2026-2229
Indicators of Compromise
- Unexpected Node.js process crashes with uncaught RangeError exceptions originating from zlib operations
- WebSocket connection logs showing Sec-WebSocket-Extensions headers with unusual server_max_window_bits values outside the 8-15 range
- Application restart patterns coinciding with WebSocket connections to specific external endpoints
- Error logs containing references to InflateRaw initialization failures or invalid windowBits parameters
Detection Strategies
- Implement application-level logging to capture WebSocket extension negotiation parameters before they are processed
- Monitor for process crash events with stack traces pointing to zlib decompression initialization in WebSocket contexts
- Deploy network inspection rules to flag WebSocket upgrade responses containing server_max_window_bits values outside the valid 8-15 range
- Use application performance monitoring to detect sudden process terminations following WebSocket connection establishment
Monitoring Recommendations
- Enable detailed logging for WebSocket connection establishment and extension negotiation in undici-based applications
- Configure process managers (PM2, systemd, etc.) to alert on rapid restart cycles that may indicate exploitation attempts
- Implement health check monitoring that tracks WebSocket connection success rates and application stability metrics
- Review outbound WebSocket connections to ensure they are directed to trusted, authenticated endpoints
How to Mitigate CVE-2026-2229
Immediate Actions Required
- Update undici to the latest patched version that includes proper validation of server_max_window_bits parameters
- Audit applications to identify all outbound WebSocket connections using undici, particularly those connecting to untrusted or external servers
- Consider disabling permessage-deflate compression as a temporary mitigation if patch deployment is delayed
- Implement process supervision with automatic restart capabilities to minimize service disruption if exploitation occurs
Patch Information
A security patch addressing this vulnerability has been released by the undici maintainers. The fix adds proper range validation to ensure server_max_window_bits values fall within the zlib-supported range of 8-15, and wraps the createInflateRaw() call in appropriate exception handling. For detailed patch information and the latest secure versions, consult the GitHub Security Advisory GHSA-v9p9-hfj2-hcw8 and the OpenJS Foundation Security Advisories.
Workarounds
- Disable WebSocket compression by not advertising permessage-deflate support, though this requires modifying client configuration or using alternative WebSocket libraries
- Implement a reverse proxy or WebSocket gateway that validates extension parameters before forwarding connections to the application
- Restrict WebSocket connections to trusted, authenticated server endpoints only
- Wrap WebSocket client instantiation in process isolation (worker threads or child processes) to contain potential crashes
# Configuration example: Check undici version and update to patched release
npm list undici
npm update undici --save
# Verify the installed version includes the security fix
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
