CVE-2026-9675 | Impact: The undici WebSocket client enforces maxPayloadSize … | CVSS 7.5 HIGH

Description

Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected. Patches: Upgrade to undici >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.

Metadata

CVE ID: CVE-2026-9675
State: PUBLISHED
Assigner: openjs
Reserved: 2026-05-27 07:10 UTC
Published: 2026-06-17 16:20 UTC
Last updated: 2026-06-17 17:29 UTC
Primary CWE: CWE-400
CWE-400: Uncontrolled Resource Consumption
Vendor / Product: undici / undici
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
undici	undici	—	8.0.0 < 8.5.0, 8.5.0

Weakness (CWE)

CWE	Source	Description
CWE-400	cna	CWE-400: Uncontrolled Resource Consumption
CWE-770	cna	CWE-770: Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)