WebSocket Client Vulnerability in Undici Affects Node.js Applications
CVE-2026-12151

7.5HIGH

Key Information:

Vendor

Undici

Status
Undici
Vendor
CVE Published:
17 June 2026

What is CVE-2026-12151?

The undici WebSocket client allows unlimited fragmentation of WebSocket messages, enabling attackers to exploit this flaw and cause memory exhaustion by sending numerous small or empty continuation frames. This results in denial of service for applications connecting to potentially malicious WebSocket servers. Affected users should upgrade to undici versions 6.26.0, 7.28.0, or 8.5.0 to mitigate this risk, as no other workaround is available.

Affected Version(s)

undici 0 < 6.26.0

undici 7.0.0 < 7.28.0

undici 8.0.0 < 8.5.0

References

https://github.com/nodejs/undici/security/advisories/GHSA...
https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

lpinca
Nadav0077
UlisesGascon
.