HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9675Published Modified CNA openjs

CVE-2026-9675: undici WebSocket client vulnerable to denial of service via cumulative fragment bypass

Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected. Patches: Upgrade to undici >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
8.5.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in the undici WebSocket client, affecting versions 8.0.0 through 8.4.x. The client enforces a per-frame size limit (maxPayloadSize) but fails to enforce the cumulative size of fragmented, uncompressed messages, allowing a malicious or compromised WebSocket server to stream many small fragments that each pass validation but together exhaust process memory. Exploitation requires no authentication and is reachable over the network, causing the affected Node.js process to crash or become unresponsive. A patched-image rebuild at undici 8.5.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle undici 8.0.0 through 8.4.x as a direct or transitive dependency. Any image in a connected registry or CI pipeline is eligible for matching as soon as the advisory is indexed.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and can weight that score against each environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at undici 8.5.0 becomes available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must operate a reachable WebSocket server that the vulnerable client connects to over the network; the attack is initiated by the server side of that connection.

  • AuthenticationNot required

    No authentication is required - the attacker only needs the client to establish a WebSocket connection to an attacker-controlled or compromised endpoint.

  • Victim interactionNot required

    No user interaction is needed beyond the application's normal operation of opening a WebSocket connection.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the client connects; no race conditions or special memory layout are required to trigger unbounded memory growth.

Blast Radius

  • The affected client process exhausts available memory as the server streams cumulative fragments past the configured limit.
  • The Node.js process hosting the undici WebSocket client crashes or becomes unresponsive, taking down any co-located functionality in the same process.
  • No confidential data is disclosed and no data is modified; impact is limited to availability of the affected service.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all connected registries and pipelines, matching images that include undici 8.0.0 through 8.4.x. Because no workaround exists and the only remediation path is upgrading to undici 8.5.0, prompt patching is the sole effective control. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at the fixed version, run regression tests, and open a pull request against affected workloads - median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review, HarborGuard routes the finding with full CVSS context to the configured team inbox so engineers can act without first triaging severity themselves. Because the advisory notes no applicable compensating control short of upgrading, customers who cannot immediately patch should consider network-policy isolation to restrict which WebSocket endpoints their workloads are permitted to reach, reducing the attack surface until the upgrade is applied.

See how HarborGuard automates this

Fix available

8.5.0
Affected packages
  • undici / undici
    < 8.5.0 (from 8.0.0)
    Fixed in 8.5.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References