Source: node-undici Version: 7.18.2+dfsg+~cs3.2.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-undici. CVE-2026-2229[0]: | ImpactThe undici WebSocket client is vulnerable to a denial-of- | service attack due to improper validation of | the server_max_window_bits parameter in the permessage-deflate | extension. When a WebSocket client connects to a server, it | automatically advertises support for permessage-deflate compression. | A malicious server can respond with an out-of- | range server_max_window_bits value (outside zlib's valid range of | 8-15). When the server subsequently sends a compressed frame, the | client attempts to create a zlib InflateRaw instance with the | invalid windowBits value, causing a synchronous RangeError exception | that is not caught, resulting in immediate process termination. The | vulnerability exists because: * | The isValidClientWindowBits() function only validates that the value | contains ASCII digits, not that it falls within the valid range 8-15 | * The createInflateRaw() call is not wrapped in a try-catch block | * The resulting exception propagates up through the call stack and | crashes the Node.js process If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-2229 https://www.cve.org/CVERecord?id=CVE-2026-2229 [1] https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
