Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-9675

CVE-2026-9675: Undici WebSocket Client DoS Vulnerability

CVE-2026-9675 is a denial of service vulnerability in the undici WebSocket client that allows memory exhaustion through fragmented messages. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-9675 Overview

CVE-2026-9675 is a denial-of-service vulnerability in the undici HTTP/WebSocket client for Node.js. The undici WebSocket client enforces maxPayloadSize on a per-frame basis but fails to validate the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that individually pass per-frame validation while collectively exceeding the configured limit. The result is unbounded memory growth in the client process, leading to memory exhaustion. The flaw is classified under CWE-400 (Uncontrolled Resource Consumption) and is a regression specific to undici 8.1.0.

Critical Impact

A remote WebSocket server can exhaust client memory and crash the host Node.js process without authentication or user interaction.

Affected Products

  • undici 8.1.0 through versions prior to 8.5.0
  • Node.js applications using the undici WebSocket client (new WebSocket(...))
  • Not affected: undici 6.25.0 line and 7.x line

Discovery Timeline

  • 2026-06-17 - CVE-2026-9675 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-9675

Vulnerability Analysis

The undici WebSocket client validates incoming frames against the maxPayloadSize configuration option. This check operates on each individual frame as it arrives. The WebSocket protocol allows a single logical message to be split across multiple continuation frames using the FIN bit. The client buffers these fragments in memory until the terminating frame arrives.

The regression in version 8.1.0 removed the cumulative size validation that summed buffered fragment sizes across a single message. A hostile server can therefore send thousands of small fragments, each well under maxPayloadSize, and the client accumulates them without bound. The 6.25.0 release line retained the cumulative check from inception and is unaffected. The 7.x line never introduced the maxPayloadSize feature.

Root Cause

The root cause is missing aggregate length validation in the WebSocket frame reassembly logic. Per-frame checks alone are insufficient when the protocol supports message fragmentation. The fix in undici 8.5.0 restores cumulative tracking so that the running total of buffered fragment payloads is compared against maxPayloadSize before each new fragment is appended.

Attack Vector

Exploitation requires the victim application to initiate a WebSocket connection to an attacker-controlled or compromised endpoint. This is common in scenarios where applications accept a server URL from user input, integrate with third-party data feeds, or perform outbound webhook handshakes. Once the connection is established, the malicious server sends a stream of uncompressed continuation frames without ever setting the FIN bit. Memory growth continues until the Node.js process is terminated by the operating system or hits the V8 heap limit.

No authentication, user interaction, or local access is required. The attack runs over the network against the client process.

Detection Methods for CVE-2026-9675

Indicators of Compromise

  • Node.js processes consuming abnormally high resident memory shortly after initiating outbound WebSocket connections
  • Repeated FATAL ERROR: JavaScript heap out of memory crashes in application logs
  • Long-lived outbound WebSocket sessions to untrusted or unexpected hosts with no message completion
  • High volumes of inbound WebSocket continuation frames without FIN-terminated messages

Detection Strategies

  • Inventory all Node.js applications and identify those depending on undici between versions 8.1.0 and 8.4.x using npm ls undici or equivalent
  • Inspect package lock files and software bill of materials (SBOM) entries for transitive undici dependencies
  • Monitor egress traffic for WebSocket sessions to unapproved destinations

Monitoring Recommendations

  • Track per-process memory growth rates for Node.js services and alert on sustained increases
  • Log outbound WebSocket connection targets and correlate with application allowlists
  • Capture network telemetry for WebSocket opcode 0x0 (continuation) frame counts per connection

How to Mitigate CVE-2026-9675

Immediate Actions Required

  • Upgrade undici to version 8.5.0 or later in all affected Node.js applications
  • Audit transitive dependencies, as undici is commonly pulled in by HTTP clients and frameworks
  • Restrict outbound WebSocket connections to validated, allowlisted endpoints where feasible
  • Apply per-process memory limits to contain impact if exploitation occurs

Patch Information

The maintainers released undici 8.5.0, which reinstates cumulative size validation for fragmented WebSocket messages. Refer to the GitHub Security Advisory GHSA-38rv-x7px-6hhq and the OpenJS Foundation Security Advisories for full details.

Workarounds

  • No configuration workaround is available. The maxPayloadSize option does not prevent the issue because the gap is in cumulative tracking, not per-frame enforcement
  • Downgrading to the undici 6.25.0 line is a possible interim option if upgrade to 8.5.0 is blocked
  • Network-layer egress filtering can reduce exposure by limiting which WebSocket destinations clients may reach

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne