Intel

AIKIDO-2026-936878

undici is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

37

Low Risk

This Affects:

JSundici
8.3.0 - 8.6.0
Fixed in 8.7.0
Are you affected? Scan for Free

TL;DR

The HTTP/2 client dispatcher mishandles stream lifecycle events. A response frame delivered to a still-live stream after the request has already completed calls the response-start path post-completion, tripping an internal assert(!this.completed) that throws on the HTTP/2 event tick and escapes as an uncaught exception that crashes the process; a session that has received GOAWAY rejects new streams and crashes instead of requeuing the request, and streams aborted with close() can leave the native HTTP/2 stream handle alive on busy multiplexed sessions. A malicious or misbehaving HTTP/2 server can drive these paths to crash the client or exhaust resources. The fix guards response handling against already-completed requests, requeues requests on GOAWAY'd sessions, and deterministically destroys aborted streams.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and have HTTP/2 support enabled (for example allowH2: true).

Background info

undici is vulnerable to Denial of Service (DoS) in versions 8.3.0 - 8.6.0.

How to fix this

Upgrade the undici library to the patch version.