CVE-2026-2229
Published: 12 March 2026
Summary
CVE-2026-2229 is a high-severity Uncaught Exception (CWE-248) vulnerability in Nodejs Undici. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-2229 is a denial-of-service vulnerability in the undici WebSocket client, a component used within Node.js applications. The issue arises from improper validation of the server_max_window_bits parameter during negotiation of the permessage-deflate compression extension. When a client connects to a WebSocket server, it automatically advertises support for permessage-deflate. A malicious server can respond with an out-of-range value outside zlib's valid windowBits range of 8-15. Subsequent receipt of a compressed frame causes the client to invoke zlib's createInflateRaw() with the invalid parameter, triggering an uncaught RangeError exception. This stems from the isValidClientWindowBits() function checking only for ASCII digits rather than the valid range, combined with the absence of a try-catch block around the inflate creation, allowing the exception to propagate and crash the Node.js process. The vulnerability is rated 7.5 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-248 and CWE-1284.
Any remote attacker controlling a WebSocket server can exploit this vulnerability when a vulnerable undici client initiates a connection. No authentication or user interaction is required. The attacker simply negotiates the permessage-deflate extension with an invalid server_max_window_bits value and sends a compressed frame, immediately causing a synchronous process crash and denial of service.
Mitigation details are available in advisories from the OpenJS Foundation CNA and the undici GitHub security advisory (GHSA-v9p9-hfj2-hcw8), along with the related HackerOne report (3487486). These reference the permessage-deflate RFC 7692 and Node.js zlib documentation for context on valid parameters.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11704
Vulnerability details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server…
more
can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DoS via uncaught exception on invalid zlib parameter during WebSocket permessage-deflate negotiation, directly matching application/system exploitation for endpoint availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper validation of server_max_window_bits by requiring checks for valid range (8-15) beyond just ASCII digits.
Mitigates the uncaught RangeError from zlib inflateRaw by mandating try-catch blocks or graceful error handling to prevent process crashes.
Requires timely remediation of the flaw in undici WebSocket client through patching to fix validation and error handling deficiencies.