AIKIDO-2026-145478
undici is vulnerable to Denial of Service (DoS)
75
High Risk
This Affects:
undiciTL;DR
undici's WebSocket client enforces the maxPayloadSize limit on the cumulative byte size of a fragmented message but never limits the number of fragments. A malicious or compromised WebSocket server can stream a very large number of small or empty continuation frames that each pass per-frame and cumulative-size checks while collectively driving unbounded memory growth in the client. An application that connects its WebSocket or WebSocketStream client to an attacker-controlled endpoint can be driven to memory exhaustion and denial of service. The fix adds a limit on the number of accepted fragments so a message cannot grow without bound.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
undici is vulnerable to Denial of Service (DoS) in versions 6.17.0 - 6.25.0, 7.0.0 - 7.27.2 and 8.0.0 - 8.4.1.
How to fix this
Upgrade the undici library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant