Primary

Context

Node.js undici WebSocket Length Overflow Leading to Process Termination

Vulnerability

Patched

A vulnerability exists in the Node.js undici HTTP client library, specifically in versions 6.0.0 prior to 6.24.0 and 7.0.0 prior to 7.24.0. The issue arises when a server sends a WebSocket frame with a 64-bit length format that is excessively large. This causes an overflow in undici's ByteParser, disrupting its internal calculations and leading to an invalid state. Consequently, a fatal TypeError is thrown, causing the process to crash.

Impact

Exploitation of this vulnerability causes the undici process to terminate abruptly due to an unhandled TypeError, disrupting any ongoing operations or connections managed by the client.

Remediation

Users are advised to upgrade to undici versions 6.24.0 or 7.24.0.

Added: Mar 12, 2026, 9:18 PM

Updated: Mar 12, 2026, 9:18 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

5.6

remediation

7.7

relevance

3.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

5.6

remediation

7.7

relevance

3.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js undici WebSocket Length Overflow Leading to Process Termination

Vulnerability

Impact

Remediation

Affected Products

nodejs undici

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating