Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
undici: Large WebSocket frame crashes the server
CVE-2026-1528
GHSA-f269-vfmq-vjvj
Summary
A bug in the undici library causes a server to crash if it receives a very large WebSocket frame. This could lead to unexpected downtime, making it essential to update to a fixed version of undici. Users should upgrade to at least undici version 7.24.0 or 6.24.0 to prevent this issue.
What to do
- Update undici to version 6.24.0.
- Update undici to version 7.24.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | undici | > 6.0.0 , <= 6.24.0 | 6.24.0 |
| – | undici | > 7.0.0 , <= 7.24.0 | 7.24.0 |
Original title
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
Original description
### Impact
A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
### Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
### Workarounds
There are no workarounds.
A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
### Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
### Workarounds
There are no workarounds.
nvd CVSS3.1
7.5
Vulnerability type
CWE-248
CWE-1284
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026