Memory Exhaustion Vulnerability in undici WebSocket Client Affects Node.js Applications
CVE-2026-9675

7.5HIGH

Key Information:

Vendor: Undici
Status: Undici
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-9675?

The undici WebSocket client has a vulnerability that allows an attacker to exploit the maxPayloadSize enforcement per-frame. By sending multiple small fragments that each pass validation, an unauthorized WebSocket server can cause the cumulative size of these fragments to exceed the limit. This results in unbounded memory growth in the client process, leading to memory exhaustion and potential denial of service. Users of undici version 8.1.0 are particularly at risk but those on earlier versions or 8.5.0 and above are secure. Immediate action involves upgrading to a patched version to mitigate this risk.

Affected Version(s)

undici 8.0.0 < 8.5.0

undici 8.5.0

References

https://github.com/nodejs/undici/security/advisories/GHSA...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 27, 2026

Credit

mauriceng98

Str1ckl4nd

mcollina

UlisesGascon

lzhou1110

Zyy0530

CVE-2026-9675 Data

JSON

Undici

What is CVE-2026-9675?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit