LiveActive security incident?Get immediate response
CVE Record

CVE-2026-12151: undici WebSocket client vulnerable to denial of service via fragment count bypass

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. All releases starting at undici 6.17.0 are affected. Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

A flaw in undici, a widely used Node.js HTTP library, lets a hostile WebSocket server crash Node.js applications by streaming many tiny message fragments until the client runs out of memory. Any service that opens WebSocket connections to untrusted or attacker-influenced endpoints is at risk of an outage until the library is upgraded.

Executive priority

Treat as an elevated availability risk for Node.js workloads that use undici and reach external WebSocket endpoints. No confirmed active exploitation, but the fix is a straightforward dependency upgrade and Red Hat has issued multiple advisories. Schedule patching within the standard high-severity SLA and prioritize internet-facing services.

Technical view

The undici WebSocket client enforces maxPayloadSize on cumulative fragment bytes but does not cap the number of continuation frames per message. A malicious server can send unbounded empty or tiny continuation frames that each pass size checks, causing memory exhaustion in the client. Versions 6.17.0 through 6.25.x, 7.0.0 through 7.27.x, and 8.0.0 through 8.4.x are affected. Fixed in undici 6.26.0, 7.28.0, and 8.5.0.

Likely exposure

Node.js services using undici's WebSocket client or WebSocketStream API that connect to attacker-controlled, third-party, or user-specified WebSocket endpoints. Backend proxies, chat integrations, crawlers, and SSRF-adjacent code paths are the most exposed. Red Hat has shipped multiple RHSA advisories, indicating broad downstream exposure across their ecosystem.

Exploitation context

CVSS 3.1 base score 7.5 (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) reflecting a network-reachable availability impact with no privileges or user interaction. The CVE is not listed in CISA KEV and the sources do not report in-the-wild exploitation. The attack requires the victim to initiate a WebSocket connection to an attacker-controlled server.

Researcher notes

Root cause is a missing fragment-count invariant alongside the existing maxPayloadSize check (CWE-400, CWE-770). Empty or small continuation frames pass per-frame validation, so cumulative retention of frame metadata drives memory growth rather than payload bytes. Trigger requires the undici client to connect outbound to a hostile ws:// or wss:// endpoint. No workaround exists; only the upstream patch resolves the issue. Verify fix inclusion via the GHSA-vxpw-j846-p89q advisory.

Mitigation direction

  • Upgrade undici to 6.26.0, 7.28.0, or 8.5.0 or later across all runtimes and container images.
  • Rebuild and redeploy Node.js apps that bundle undici, including transitive dependencies pulled in by fetch/HTTP clients.
  • Apply Red Hat RHSA errata (34342, 35841/35842, 35891/35892, 36754, 36820, 38009, 38236) to affected RHEL and OpenShift systems.
  • Restrict outbound WebSocket destinations to allow-listed hosts where feasible.
  • Set process-level memory limits and automatic restart policies to contain DoS impact until patched.

Validation and detection

  • Inventory direct and transitive undici usage via npm ls undici or SBOM tooling and flag versions below the fixed releases.
  • Confirm running processes load the patched undici by inspecting node_modules and container image manifests after redeploy.
  • Verify Red Hat hosts show updated nodejs/undici packages via rpm -q and applicable RHSA identifiers.
  • Review application code for WebSocket or WebSocketStream connections to user-supplied or third-party URLs.
  • Monitor Node.js RSS and heap metrics for anomalous growth on services that make outbound WebSocket calls.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-400: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-770: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-12151 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
15Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6openjs
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

7.5High
CVSS 3.1 vector shape for CVE-2026-12151Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPundici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
other:Red Hat severity ratingcvssV3_1
  • 2026-06-17T17:01:45.297Z: Reported to Red Hat.
  • 2026-06-17T16:05:38.785Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
undiciundici0, 6.26.0, 7.0.0, 7.28.0, 8.0.0, 8.5.0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-400 · source CWE mapping

Uncontrolled Resource Consumption

Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-770 · source CWE mapping

Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.