← Retour aux CVEs
CVE-2026-1528
HIGH7.5
Description
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Details CVE
Score CVSS v3.17.5
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie3/12/2026
Derniere modification3/20/2026
Sourcenvd
Observations honeypot0
Produits affectes
nodejs:undici
Faiblesses (CWE)
CWE-248CWE-1284
References
https://cna.openjsf.org/security-advisories.html(ce714d77-add3-4f53-aff5-83d477b104bb)
https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj(ce714d77-add3-4f53-aff5-83d477b104bb)
https://hackerone.com/reports/3537648(ce714d77-add3-4f53-aff5-83d477b104bb)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.