Source: node-undici Version: 7.18.2+dfsg+~cs3.2.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-undici. CVE-2026-1526[0]: | The undici WebSocket client is vulnerable to a denial-of-service | attack via unbounded memory consumption during permessage-deflate | decompression. When a WebSocket connection negotiates the | permessage-deflate extension, the client decompresses incoming | compressed frames without enforcing any limit on the decompressed | data size. A malicious WebSocket server can send a small compressed | frame (a "decompression bomb") that expands to an extremely large | size in memory, causing the Node.js process to exhaust available | memory and crash or become unresponsive. The vulnerability exists | in the PerMessageDeflate.decompress() method, which accumulates all | decompressed chunks in memory and concatenates them into a single | Buffer without checking whether the total size exceeds a safe | threshold. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-1526 https://www.cve.org/CVERecord?id=CVE-2026-1526 [1] https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q Please adjust the affected versions in the BTS as needed. Regards, Salvatore
