VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-zb3h-efqz-dff3

Essentials
Severities (22)
References (10)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-zb3h-efqz-dff3
Aliases	CVE-2026-22036 GHSA-g9mf-h72j-4rw9
Summary	Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion ### Impact The `fetch()` API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor. However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. ### Patches Upgrade to 7.18.2 or 6.23.0. ### Workarounds It is possible to apply an undici interceptor and filter long `Content-Encoding` sequences manually. ### References * https://hackerone.com/reports/3456148 * https://github.com/advisories/GHSA-gm62-xv2j-4w53 * https://curl.se/docs/CVE-2022-32206.html
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-770	Allocation of Resources Without Limits or Throttling
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	3.7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22036.json
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-22036
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-22036
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-22036
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-22036
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-22036
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-22036
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-22036
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-22036
cvssv3.1	3.7	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-g9mf-h72j-4rw9
cvssv3.1	5.9	https://github.com/nodejs/undici
generic_textual	MODERATE	https://github.com/nodejs/undici
cvssv3.1	5.9	https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
generic_textual	MODERATE	https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
ssvc	Track	https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
cvssv3.1	5.9	https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
cvssv3.1_qr	MODERATE	https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
generic_textual	MODERATE	https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
ssvc	Track	https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2026-22036
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-22036

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22036.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-22036
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/nodejs/undici
		https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
		https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
		https://nvd.nist.gov/vuln/detail/CVE-2026-22036
1125679		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125679
2429741		https://bugzilla.redhat.com/show_bug.cgi?id=2429741
GHSA-g9mf-h72j-4rw9		https://github.com/advisories/GHSA-g9mf-h72j-4rw9

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22036.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nodejs/undici

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:17:52Z/ Found at https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:17:52Z/ Found at https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-22036

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.05386
EPSS Score	0.0002
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:19.759853+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-g9mf-h72j-4rw9/GHSA-g9mf-h72j-4rw9.json	38.0.0