CVE-2026-1526
Published: 12 March 2026
Summary
CVE-2026-1526 is a high-severity Data Amplification (CWE-409) vulnerability in Nodejs Undici. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limits effects of data amplification from compressed or malicious inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Decompression bomb in undici WS client directly enables remote memory exhaustion leading to application crash via crafted compressed frames (T1499.004).
NVD Description
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size.…
more
A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Deeper analysisAI
CVE-2026-1526 is a denial-of-service vulnerability in the undici WebSocket client, stemming from unbounded memory consumption during permessage-deflate decompression. The issue resides in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without enforcing limits on the total decompressed size. This affects Node.js processes using the undici library when handling WebSocket connections that negotiate the permessage-deflate extension.
A remote attacker who controls a malicious WebSocket server can exploit this vulnerability against any undici client that connects and negotiates the extension. By sending a small compressed frame—a "decompression bomb"—that expands to an extremely large size upon decompression, the attacker triggers memory exhaustion in the victim's Node.js process, causing it to crash or become unresponsive. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its network accessibility, low attack complexity, lack of required privileges or user interaction, and high availability impact, mapped to CWE-409 (Improper Handling of Highly Compressed Data).
Mitigation guidance and patches are detailed in related advisories, including the GitHub security advisory for undici (GHSA-vrm6-8vpv-qv8q), the OpenJS Foundation CNA page, and the HackerOne disclosure report 3481206. Additional technical context on permessage-deflate is available in RFC 7692.
Details
- CWE(s)