undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
Summary
The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected. Patches: Upgrade to undici >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade. A flaw was found in undici. A malicious WebSocket server could exploit this vulnerability by sending fragmented messages that individually meet size limits but collectively exceed them. This can lead to unbounded memory growth in the client process, resulting in memory exhaustion and a denial of service (DoS). This is rated Moderate by Red Hat (CVSS 5.9) because successful exploitation requires the undici WebSocket client to connect to an attacker-controlled server (AC:H), which is unlikely in typical Red Hat product deployments where WebSocket endpoints are trusted internal services. No Red Hat product is affected — all streams shipping undici bundle versions 5.x through 7.x, which are outside the vulnerable range of 8.0.0 to 8.4.x. The vulnerable code path (unbounded WebSocket frame accumulation) was introduced in undici 8.0.0 and is not present in earlier major versions. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-400. Fixed by RHSA-2026:22934, RHSA-2026:25561, RHSA-2026:7378 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- rust-main-1.96.0-1.hum1
- nodejs24-main-24.16.0-1.hum1
- nodejs25-main-25.9.0-1.1.hum1
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- rust-main-1.96.0-1.hum1
- nodejs24-main-24.16.0-1.hum1
- nodejs25-main-25.9.0-1.1.hum1
- RHSA-2026:22934
- RHSA-2026:25561
- RHSA-2026:7378
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- Red Hat products that bundle the undici HTTP client ship versions 5.x, 6.x, and 7.x, which do not contain the vulnerable WebSocket frame accumulation code path introduced in undici 8.0.0. No Red Hat product streams are affected by this vulnerability. Users who have manually installed undici 8.x outside of Red Hat-provided packages should upgrade to undici 8.5.0 or later to fully resolve this issue.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.