{"id":"CVE-2026-12151","summary":"undici WebSocket client vulnerable to denial of service via fragment count bypass","details":"Impact:\nThe undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\nPatches: Upgrade to undici \u003e= 6.26.0, \u003e= 7.28.0, or \u003e= 8.5.0. Workarounds:\nNo workaround is available. The fix must be applied through an upgrade.","aliases":["GHSA-vxpw-j846-p89q"],"modified":"2026-07-11T03:54:26.925382139Z","published":"2026-06-17T16:05:38.785Z","related":["ALSA-2026:35841","ALSA-2026:35842","ALSA-2026:35891","ALSA-2026:35892","CGA-25v4-996r-f3gh","SUSE-SU-2026:22368-1","SUSE-SU-2026:2633-1","SUSE-SU-2026:2647-1","SUSE-SU-2026:2695-1","openSUSE-SU-2026:11121-1","openSUSE-SU-2026:21058-1","openSUSE-SU-2026:21236-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12151.json","cwe_ids":["CWE-400","CWE-770"],"cna_assigner":"openjs"},"references":[{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12151.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34342"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:35841"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:35842"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:35891"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:35892"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36754"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36820"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-12151"},{"type":"ADVISORY","url":"https://cna.openjsf.org/security-advisories.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12151.json"},{"type":"ADVISORY","url":"https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12151"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489980"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/undici","events":[{"introduced":"0ca9c1e1faa8cac5ed9310dacbe2e9b5cfd4f6b1"},{"fixed":"551138cbc1742c92242a68216167761075e8a82c"},{"introduced":"1cfe0949053aac6267f11b919cee9315a27f1fd6"},{"fixed":"f9eba0ad9134e1c0977848476bba9d49734696e4"},{"introduced":"d7fbba51772deecb830a297647456a5e9f9fec57"},{"fixed":"a0806e1f66a83db0a792b8407c2e97fcf8ed58af"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"6.17.0"},{"fixed":"6.27.0"},{"introduced":"7.0.0"},{"fixed":"7.28.0"},{"introduced":"8.0.0"},{"fixed":"8.5.0"}]}}],"versions":["v6.26.0","v7.27.2","v8.4.1","v8.4.0","v7.27.1","v7.27.0","v7.26.0","v6.25.0","v8.3.0","v8.2.0","v7.25.0","v7.24.8","v8.1.0","v8.0.3","v8.0.2","v8.0.1","v8.0.0","v7.24.7","v7.24.6","v7.24.5","v7.24.4","v7.24.3","v7.24.2","v6.24.1","v6.24.0","v7.24.1","v7.24.0","v6.23.0","v7.23.0","v7.22.0","v7.21.0","v7.20.0","v7.19.2","v7.19.1","v7.19.0","v7.18.2","v7.18.1","v7.18.0","v6.22.0","v7.17.0","v7.16.0","v7.15.0","v6.21.3","v7.14.0","v7.13.0","v7.12.0","v7.11.0","v7.10.0","v6.21.2","v7.9.0","v7.8.0","v7.7.0","v7.5.0","v7.6.0","v7.4.0","v6.21.1","v7.3.0","v7.2.3","v7.2.2","v7.2.1","v7.2.0","v7.1.1","v7.1.0","v7.0.0","v6.21.0","v6.20.1","v6.20.0","v6.19.8","v6.19.7","v6.19.6","v6.19.5","v6.19.4","v6.19.3","v6.19.2","v6.19.1","v6.19.0","v6.18.2","v6.18.1","v6.18.0","v6.17.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12151.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}