CVE-2026-12151: undici WebSocket client vulnerable to denial of service via fragment count bypass
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:
No workaround is available. The fix must be applied through an upgrade.
Security readout for executives and security teams
Plain-English summary
A flaw in undici, a widely used Node.js HTTP library, lets a hostile WebSocket server crash Node.js applications by streaming many tiny message fragments until the client runs out of memory. Any service that opens WebSocket connections to untrusted or attacker-influenced endpoints is at risk of an outage until the library is upgraded.
Executive priority
Treat as an elevated availability risk for Node.js workloads that use undici and reach external WebSocket endpoints. No confirmed active exploitation, but the fix is a straightforward dependency upgrade and Red Hat has issued multiple advisories. Schedule patching within the standard high-severity SLA and prioritize internet-facing services.
Technical view
The undici WebSocket client enforces maxPayloadSize on cumulative fragment bytes but does not cap the number of continuation frames per message. A malicious server can send unbounded empty or tiny continuation frames that each pass size checks, causing memory exhaustion in the client. Versions 6.17.0 through 6.25.x, 7.0.0 through 7.27.x, and 8.0.0 through 8.4.x are affected. Fixed in undici 6.26.0, 7.28.0, and 8.5.0.
Likely exposure
Node.js services using undici's WebSocket client or WebSocketStream API that connect to attacker-controlled, third-party, or user-specified WebSocket endpoints. Backend proxies, chat integrations, crawlers, and SSRF-adjacent code paths are the most exposed. Red Hat has shipped multiple RHSA advisories, indicating broad downstream exposure across their ecosystem.
Exploitation context
CVSS 3.1 base score 7.5 (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) reflecting a network-reachable availability impact with no privileges or user interaction. The CVE is not listed in CISA KEV and the sources do not report in-the-wild exploitation. The attack requires the victim to initiate a WebSocket connection to an attacker-controlled server.
Researcher notes
Root cause is a missing fragment-count invariant alongside the existing maxPayloadSize check (CWE-400, CWE-770). Empty or small continuation frames pass per-frame validation, so cumulative retention of frame metadata drives memory growth rather than payload bytes. Trigger requires the undici client to connect outbound to a hostile ws:// or wss:// endpoint. No workaround exists; only the upstream patch resolves the issue. Verify fix inclusion via the GHSA-vxpw-j846-p89q advisory.
Mitigation direction
Upgrade undici to 6.26.0, 7.28.0, or 8.5.0 or later across all runtimes and container images.
Rebuild and redeploy Node.js apps that bundle undici, including transitive dependencies pulled in by fetch/HTTP clients.
Apply Red Hat RHSA errata (34342, 35841/35842, 35891/35892, 36754, 36820, 38009, 38236) to affected RHEL and OpenShift systems.
Restrict outbound WebSocket destinations to allow-listed hosts where feasible.
Set process-level memory limits and automatic restart policies to contain DoS impact until patched.
Validation and detection
Inventory direct and transitive undici usage via npm ls undici or SBOM tooling and flag versions below the fixed releases.
Confirm running processes load the patched undici by inspecting node_modules and container image manifests after redeploy.
Verify Red Hat hosts show updated nodejs/undici packages via rpm -q and applicable RHSA identifiers.
Review application code for WebSocket or WebSocketStream connections to user-supplied or third-party URLs.
Monitor Node.js RSS and heap metrics for anomalous growth on services that make outbound WebSocket calls.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-400: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-400 · source CWE mapping
Uncontrolled Resource Consumption
Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.