Denial of Service due to unbounded memory growth via WebSocket frames
Summary
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. All releases starting at undici 6.17.0 are affected. Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade. A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API. This Important denial of service flaw in the `undici` WebSocket client allows a remote attacker to cause unbounded memory growth. By sending numerous small or empty WebSocket frames, an unauthenticated attacker can exhaust system memory, leading to a denial of service in Red Hat products that use the affected client. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-770. Fixed by RHSA-2026:35841, RHSA-2026:35842, RHSA-2026:34342 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10; Cluster Observability Operator 1.5.0. Will not fix / out of support: Red Hat Hardened Images.
- cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9:1782839494
- cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9:1782839193
- cluster-observability-operator/troubleshooting-panel-console-plugin-pf6-rhel9:1782839996
- cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9:1782839981
- cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9:1782840519
- cluster-observability-operator/logging-console-plugin-pf5-rhel9:1782840539
- nodejs24-1:24.18.0-1.el10_2
- cluster-observability-operator/monitoring-console-plugin-rhel9:1782838476
- nodejs22-1:22.23.1-2.el10_2
- cluster-observability-operator/distributed-tracing-console-plugin-rhel9:1782838753
- cluster-observability-operator/logging-console-plugin-pf4-rhel9:1782839279
- cluster-observability-operator/monitoring-console-plugin-pf5-rhel9:1782844225
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- nodejs24-1:24.18.0-1.el10_2
- nodejs22-1:22.23.1-2.el10_2
- cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9:1782840519
- cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9:1782839981
- cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9:1782839193
- cluster-observability-operator/distributed-tracing-console-plugin-rhel9:1782838753
- cluster-observability-operator/logging-console-plugin-pf4-rhel9:1782839279
- cluster-observability-operator/logging-console-plugin-pf5-rhel9:1782840539
- cluster-observability-operator/logging-console-plugin-rhel9:1782841925
- cluster-observability-operator/monitoring-console-plugin-pf5-rhel9:1782844225
- cluster-observability-operator/monitoring-console-plugin-pf6-rhel9:1782839658
- cluster-observability-operator/monitoring-console-plugin-rhel9:1782838476
- cluster-observability-operator/troubleshooting-panel-console-plugin-pf6-rhel9:1782839996
- cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9:1782839494
- RHSA-2026:35841
- RHSA-2026:35842
- RHSA-2026:34342
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.