Undici <7.24.0: Invalid permessage-deflate server_max_window_bits Causes DoS
CVE-2026-2229 Published on March 12, 2026
undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
* The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
* The createInflateRaw() call is not wrapped in a try-catch block
* The resulting exception propagates up through the call stack and crashes the Node.js process
Vulnerability Analysis
CVE-2026-2229 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Types
Uncaught Exception
An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive information.
Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Products Associated with CVE-2026-2229
Want to know whenever a new CVE is published for nodejs Undici? stack.watch will email you.
Affected Versions
undici:- Version < 6.24.0; 7.0.0 < 7.24.0 is affected.
- Version 6.24.0: 7.24.0 is unaffected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2026-2229
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| npm | undici | < 6.24.0 | 6.24.0 |
| npm | undici | >= 7.0.0, < 7.24.0 | 7.24.0 |