CVE-2026-2229
Published: 12 March 2026
Summary
CVE-2026-2229 is a high-severity Uncaught Exception (CWE-248) vulnerability in Nodejs Undici. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DoS via uncaught exception on invalid zlib parameter during WebSocket permessage-deflate negotiation, directly matching application/system exploitation for endpoint availability impact.
NVD Description
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server…
more
can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
Deeper analysisAI
CVE-2026-2229 is a denial-of-service vulnerability in the undici WebSocket client, a component used within Node.js applications. The issue arises from improper validation of the server_max_window_bits parameter during negotiation of the permessage-deflate compression extension. When a client connects to a WebSocket server, it automatically advertises support for permessage-deflate. A malicious server can respond with an out-of-range value outside zlib's valid windowBits range of 8-15. Subsequent receipt of a compressed frame causes the client to invoke zlib's createInflateRaw() with the invalid parameter, triggering an uncaught RangeError exception. This stems from the isValidClientWindowBits() function checking only for ASCII digits rather than the valid range, combined with the absence of a try-catch block around the inflate creation, allowing the exception to propagate and crash the Node.js process. The vulnerability is rated 7.5 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-248 and CWE-1284.
Any remote attacker controlling a WebSocket server can exploit this vulnerability when a vulnerable undici client initiates a connection. No authentication or user interaction is required. The attacker simply negotiates the permessage-deflate extension with an invalid server_max_window_bits value and sends a compressed frame, immediately causing a synchronous process crash and denial of service.
Mitigation details are available in advisories from the OpenJS Foundation CNA and the undici GitHub security advisory (GHSA-v9p9-hfj2-hcw8), along with the related HackerOne report (3487486). These reference the permessage-deflate RFC 7692 and Node.js zlib documentation for context on valid parameters.
Details
- CWE(s)