undici WebSocket Client permessage-deflate Decompression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the undici WebSocket client, specifically in versions prior to 6.24.0 and 7.0.0 prior to 7.24.0. The issue arises during the decompression of WebSocket frames that use the permessage-deflate extension. The client decompresses incoming compressed frames without imposing any limits on the size of the decompressed data. This flaw allows a malicious WebSocket server to send a small compressed frame that unpacks into a significantly larger size in memory, leading to excessive memory consumption. As a result, the Node.js process can run out of available memory, causing it to crash or become unresponsive. This vulnerability takes advantage of the PerMessageDeflate.decompress() method, which collects all decompressed chunks in memory and merges them into a single Buffer without verifying whether the total size exceeds a safe limit.

Impact

Exploitation of this vulnerability causes a remote denial-of-service condition in any Node.js application that uses the undici WebSocket client. The memory exhaustion occurs in native or external memory, bypassing the limits of the V8 heap, and can lead to the Node.js process crashing or becoming unresponsive.

Remediation

Users should upgrade to undici version 6.24.0 or 7.24.0.