Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-hgd1-7u6j-p7dh
Vulnerability ID VCID-hgd1-7u6j-p7dh
Aliases CVE-2026-2229
GHSA-v9p9-hfj2-hcw8
Summary Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation ### Impact The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range `server_max_window_bits` value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: 1. The `isValidClientWindowBits()` function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 2. The `createInflateRaw()` call is not wrapped in a try-catch block 3. The resulting exception propagates up through the call stack and crashes the Node.js process ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-248 Uncaught Exception
CWE-1284 Improper Validation of Specified Quantity in Input
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2026-2229
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2026-2229
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2026-2229
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2026-2229
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2026-2229
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2026-2229
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2026-2229
epss 0.00203 https://api.first.org/data/v1/epss?cve=CVE-2026-2229
epss 0.00203 https://api.first.org/data/v1/epss?cve=CVE-2026-2229
cvssv3.1 7.5 https://cna.openjsf.org/security-advisories.html
generic_textual HIGH https://cna.openjsf.org/security-advisories.html
ssvc Track https://cna.openjsf.org/security-advisories.html
cvssv3.1 7.5 https://datatracker.ietf.org/doc/html/rfc7692
generic_textual HIGH https://datatracker.ietf.org/doc/html/rfc7692
ssvc Track https://datatracker.ietf.org/doc/html/rfc7692
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
cvssv3.1 7.5 https://github.com/nodejs/undici
generic_textual HIGH https://github.com/nodejs/undici
cvssv3.1 7.5 https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
cvssv3.1_qr HIGH https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
generic_textual HIGH https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
ssvc Track https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
cvssv3.1 7.5 https://hackerone.com/reports/3487486
generic_textual HIGH https://hackerone.com/reports/3487486
ssvc Track https://hackerone.com/reports/3487486
cvssv3.1 7.5 https://nodejs.org/api/zlib.html#class-zlibinflateraw
generic_textual HIGH https://nodejs.org/api/zlib.html#class-zlibinflateraw
ssvc Track https://nodejs.org/api/zlib.html#class-zlibinflateraw
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2026-2229
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-2229
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json
https://api.first.org/data/v1/epss?cve=CVE-2026-2229
https://cna.openjsf.org/security-advisories.html
https://datatracker.ietf.org/doc/html/rfc7692
https://github.com/nodejs/undici
https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
https://hackerone.com/reports/3487486
https://nodejs.org/api/zlib.html#class-zlibinflateraw
https://nvd.nist.gov/vuln/detail/CVE-2026-2229
1130884 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130884
2447143 https://bugzilla.redhat.com/show_bug.cgi?id=2447143
GHSA-v9p9-hfj2-hcw8 https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
RHSA-2026:5807 https://access.redhat.com/errata/RHSA-2026:5807
RHSA-2026:7080 https://access.redhat.com/errata/RHSA-2026:7080
RHSA-2026:7123 https://access.redhat.com/errata/RHSA-2026:7123
RHSA-2026:7302 https://access.redhat.com/errata/RHSA-2026:7302
RHSA-2026:7310 https://access.redhat.com/errata/RHSA-2026:7310
RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7350
RHSA-2026:7670 https://access.redhat.com/errata/RHSA-2026:7670
RHSA-2026:7675 https://access.redhat.com/errata/RHSA-2026:7675
RHSA-2026:7983 https://access.redhat.com/errata/RHSA-2026:7983
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://cna.openjsf.org/security-advisories.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/ Found at https://cna.openjsf.org/security-advisories.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://datatracker.ietf.org/doc/html/rfc7692
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/ Found at https://datatracker.ietf.org/doc/html/rfc7692
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nodejs/undici
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/ Found at https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://hackerone.com/reports/3487486
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/ Found at https://hackerone.com/reports/3487486
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nodejs.org/api/zlib.html#class-zlibinflateraw
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/ Found at https://nodejs.org/api/zlib.html#class-zlibinflateraw
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-2229
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.40468
EPSS Score 0.00186
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:54:07.727133+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v9p9-hfj2-hcw8/GHSA-v9p9-hfj2-hcw8.json 38.0.0