HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12151Published Modified CNA openjs

CVE-2026-12151: undici WebSocket client vulnerable to denial of service via fragment count bypass

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. All releases starting at undici 6.17.0 are affected. Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
6.26.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in the undici WebSocket client. A malicious or compromised WebSocket server can send a large number of small or empty continuation frames that individually pass undici's per-frame and cumulative payload size checks, causing unbounded memory growth in the connecting client process until memory is exhausted. No authentication or special conditions are required for a server to trigger this against any client that connects to it. Patched-image rebuilds at undici 6.26.0, 7.28.0, and 8.5.0 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. CVE-2026-12151 is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle undici directly.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and surfaces it through per-environment compliance policy weighting to route findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at undici 6.26.0, 7.28.0, or 8.5.0 (depending on the affected release line present in the image) becomes available on HarborGuard once the fix versions are confirmed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must operate or control a WebSocket server reachable over the network that the vulnerable undici client connects to.

  • AuthenticationNot required

    No authentication is required; any WebSocket server the client connects to can send malicious continuation frames without any credentials.

  • Victim interactionNot required

    No user interaction is needed beyond the client application establishing a WebSocket connection, which may happen automatically.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; the attacker simply streams small or empty continuation frames with no race conditions or special memory layout requirements.

Blast Radius

  • The client process accumulates unbounded in-memory frame buffer data, exhausting available memory on the host.
  • Memory exhaustion crashes or hangs the affected Node.js process, taking down any service built on that undici WebSocket client instance.
  • If the affected process shares a container or pod with other workloads, memory pressure can degrade or terminate those co-located services as well.

How HarborGuard Handles This

Available on HarborGuard: images containing undici versions in the affected ranges (6.17.0 through 6.25.x, 7.0.0 through 7.27.x, and 8.0.0 through 8.4.x) are flagged as soon as the CVE is ingested. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the appropriate fixed version (6.26.0, 7.28.0, or 8.5.0), runs a regression check, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Because no workaround is available and the upstream advisory is explicit that an upgrade is the only remediation, customers who cannot immediately auto-remediate should consider network-policy controls that restrict which WebSocket endpoints their services are permitted to connect to, reducing exposure to attacker-controlled servers while the upgrade is scheduled.

See how HarborGuard automates this

Fix available

6.26.07.28.08.5.0
Affected packages
  • undici / undici
    < 6.26.0 (from 0) · < 7.28.0 (from 7.0.0) · < 8.5.0 (from 8.0.0)
    Fixed in 6.26.0, 7.28.0, 8.5.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References