{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/undici-versions-7.0.0-through-7.27.x/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["undici (versions prior to 6.27.0)","undici (versions 7.0.0 through 7.27.x)","undici (versions 8.0.0 through 8.4.x)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","javascript","npm","nodejs"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eundici\u003c/code\u003e WebSocket client, used in various Node.js applications, has been identified with a high-severity denial of service vulnerability, CVE-2026-12151, which affects all versions prior to \u003ccode\u003e6.27.0\u003c/code\u003e, \u003ccode\u003e7.0.0\u003c/code\u003e through \u003ccode\u003e7.27.x\u003c/code\u003e, and \u003ccode\u003e8.0.0\u003c/code\u003e through \u003ccode\u003e8.4.x\u003c/code\u003e. This flaw, published on June 19, 2026, allows a malicious WebSocket server to exploit an improper validation logic where the \u003ccode\u003emaxPayloadSize\u003c/code\u003e is enforced on the cumulative byte count of fragments but not on the total number of fragments. Attackers can stream many small or empty continuation frames that individually pass size checks but collectively lead to uncontrolled memory allocation within the client. This results in memory exhaustion and a denial of service for any \u003ccode\u003eundici\u003c/code\u003e-dependent application acting as a WebSocket client and connecting to an attacker-controlled endpoint. Defenders should prioritize patching to prevent application instability and crashes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker operates a specially crafted, malicious WebSocket server designed to exploit \u003ccode\u003eCVE-2026-12151\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA vulnerable \u003ccode\u003eundici\u003c/code\u003e WebSocket client, integrated into a target application, is induced to establish a connection to the attacker's server (e.g., through a malicious link, compromised third-party service, or supply chain injection).\u003c/li\u003e\n\u003cli\u003eUpon successful connection, the malicious server sends an initial, valid WebSocket message fragment to maintain an active session.\u003c/li\u003e\n\u003cli\u003eThe server then begins to continuously stream a large quantity of very small or entirely empty WebSocket continuation frames to the connected \u003ccode\u003eundici\u003c/code\u003e client.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eundici\u003c/code\u003e client's internal \u003ccode\u003emaxPayloadSize\u003c/code\u003e validation logic, which checks the cumulative byte count, passes for each individual small or empty frame.\u003c/li\u003e\n\u003cli\u003eDespite passing individual frame size checks, the client's memory buffer, responsible for reassembling the fragmented message, grows without bound due to the lack of a limit on the number of fragments.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eundici\u003c/code\u003e client process rapidly consumes available system memory, leading to an out-of-memory (OOM) condition on the host system.\u003c/li\u003e\n\u003cli\u003eThe operating system (Windows, Linux, or macOS) terminates the \u003ccode\u003eundici\u003c/code\u003e client process or the entire application due to memory exhaustion, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-12151 leads directly to a denial of service for applications utilizing the vulnerable \u003ccode\u003eundici\u003c/code\u003e WebSocket client. Affected systems will experience rapid, unbounded memory growth, culminating in the termination of the client process or the entire application by the operating system due to out-of-memory conditions. This can cause significant operational disruption, service unavailability, and potential data loss for critical services that rely on \u003ccode\u003eundici\u003c/code\u003e for WebSocket communication. While specific victim counts are not available, any Node.js application using \u003ccode\u003eundici\u003c/code\u003e for WebSocket client functionality, especially those connecting to external or untrusted endpoints, is susceptible to this severe impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eundici\u003c/code\u003e package in all affected Node.js applications immediately to a patched version (v6.27.0, v7.28.0, or v8.5.0) as referenced in the GHSA advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM/EDR to detect Node.js application crashes or abnormal terminations that could indicate successful exploitation of CVE-2026-12151.\u003c/li\u003e\n\u003cli\u003eEnable application-level logging for Node.js processes, specifically capturing errors related to memory allocation failures or unexpected process exits, to activate the rules above.\u003c/li\u003e\n\u003cli\u003eReview network egress policies for applications using the \u003ccode\u003eundici\u003c/code\u003e WebSocket client to ensure they only connect to trusted and necessary WebSocket endpoints, reducing exposure to malicious servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T14:26:21Z","date_published":"2026-06-19T14:26:21Z","id":"https://feed.craftedsignal.io/briefs/2026-06-undici-websocket-dos/","summary":"The `undici` WebSocket client is vulnerable to CVE-2026-12151, a high-severity denial of service attack where a malicious WebSocket server can stream numerous small continuation frames that bypass `maxPayloadSize` checks, causing unbounded memory growth and exhaustion in affected client processes.","title":"undici WebSocket Client Vulnerable to Denial of Service (CVE-2026-12151)","url":"https://feed.craftedsignal.io/briefs/2026-06-undici-websocket-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Undici (Versions 7.0.0 Through 7.27.x)","version":"https://jsonfeed.org/version/1.1"}