CVE-2026-1528
Published: 12 March 2026
Summary
CVE-2026-1528 is a high-severity Uncaught Exception (CWE-248) vulnerability in Nodejs Undici. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1528 is a denial-of-service vulnerability in the undici library, a Node.js HTTP and WebSocket client. The issue arises in undici's ByteParser when processing a WebSocket frame that uses the 64-bit length form with an extremely large length value. This causes an internal math overflow, leading the parser to an invalid state and triggering a fatal TypeError that terminates the process.
A remote attacker can exploit this vulnerability by controlling a server to which an undici-based client connects over WebSocket. No authentication, privileges, or user interaction are required, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation results in a crash of the affected client process, enabling denial of service against applications relying on vulnerable undici versions.
Advisories recommend upgrading to undici version v7.24.0 or v6.24.0 or later, where the issue is patched. Additional details are available in the OpenJSF CNA security advisories, the GitHub Security Advisory GHSA-f269-vfmq-vjvj for nodejs/undici, and the related HackerOne report 3537648. The vulnerability is associated with CWE-248 (Uncaught Exception) and CWE-1284 (Immutable Object with Mutable Interface).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11703
Vulnerability details
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched…
more
in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of undici WebSocket parser to crash the client process via integer overflow and uncaught exception, directly matching application/system exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation requires upgrading to patched undici versions v7.24.0 or v6.24.0, directly eliminating the WebSocket frame length overflow vulnerability.
Information input validation enforces checks on WebSocket frame lengths to reject oversized 64-bit values before ByteParser processing, preventing math overflow and crashes.
Error handling ensures parsing exceptions from invalid WebSocket frames do not result in fatal TypeErrors that terminate the process.