← Back to CVEs
CVE-2026-1528
HIGH7.5
Description
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
CVE Details
CVSS v3.1 Score7.5
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published3/12/2026
Last Modified3/20/2026
Sourcenvd
Honeypot Sightings0
Affected Products
nodejs:undici
Weaknesses (CWE)
CWE-248CWE-1284
References
https://cna.openjsf.org/security-advisories.html(ce714d77-add3-4f53-aff5-83d477b104bb)
https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj(ce714d77-add3-4f53-aff5-83d477b104bb)
https://hackerone.com/reports/3537648(ce714d77-add3-4f53-aff5-83d477b104bb)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.