{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-12151","assignerOrgId":"ce714d77-add3-4f53-aff5-83d477b104bb","state":"PUBLISHED","assignerShortName":"openjs","dateReserved":"2026-06-12T18:14:04.454Z","datePublished":"2026-06-17T16:05:38.785Z","dateUpdated":"2026-07-09T12:09:31.221Z"},"containers":{"cna":{"providerMetadata":{"orgId":"ce714d77-add3-4f53-aff5-83d477b104bb","shortName":"openjs","dateUpdated":"2026-06-17T16:05:38.785Z"},"title":"undici WebSocket client vulnerable to denial of service via fragment count bypass","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-400","description":"CWE-400: Uncontrolled Resource Consumption","type":"CWE"}]},{"descriptions":[{"lang":"en","cweId":"CWE-770","description":"CWE-770: Allocation of Resources Without Limits or Throttling","type":"CWE"}]}],"affected":[{"vendor":"undici","product":"undici","versions":[{"status":"affected","version":"0","lessThan":"6.26.0","versionType":"semver"},{"status":"unaffected","version":"6.26.0","versionType":"semver"},{"status":"affected","version":"7.0.0","lessThan":"7.28.0","versionType":"semver"},{"status":"unaffected","version":"7.28.0","versionType":"semver"},{"status":"affected","version":"8.0.0","lessThan":"8.5.0","versionType":"semver"},{"status":"unaffected","version":"8.5.0","versionType":"semver"}],"defaultStatus":"unaffected","packageURL":"pkg:npm/undici"}],"descriptions":[{"lang":"en","value":"Impact:\nThe undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\nPatches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:\nNo workaround is available. The fix must be applied through an upgrade.","supportingMedia":[{"type":"text/html","base64":false,"value":"Impact:\nThe undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\nPatches:&nbsp;Upgrade to undici &gt;= 6.26.0, &gt;= 7.28.0, or &gt;= 8.5.0.&nbsp;Workarounds:\nNo workaround is available. The fix must be applied through an upgrade."}]}],"references":[{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q"},{"url":"https://cna.openjsf.org/security-advisories.html"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}],"credits":[{"lang":"en","value":"lpinca","type":"reporter"},{"lang":"en","value":"Nadav0077","type":"finder"},{"lang":"en","value":"UlisesGascon","type":"remediation reviewer"}],"x_generator":{"engine":"cve-kit 1.0.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-17T17:29:57.305732Z","id":"CVE-2026-12151","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-17T17:30:13.782Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:cluster_observability_operator:1.5::el9"],"defaultStatus":"affected","product":"Cluster Observability Operator 1.5.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhdh:1.10::el9"],"defaultStatus":"affected","product":"Red Hat Developer Hub 1.10","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3.29::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces 3.29","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:cryostat:4"],"defaultStatus":"affected","product":"Cryostat 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_pipelines:1"],"defaultStatus":"affected","product":"OpenShift Pipelines","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_broker:7"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:podman_desktop:1"],"defaultStatus":"affected","product":"Red Hat Build of Podman Desktop","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","product":"Red Hat Hardened Images","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"affected","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_portal:2"],"defaultStatus":"affected","product":"Self-service automation portal 2","vendor":"Red Hat"}],"datePublic":"2026-06-17T16:05:38.785Z","descriptions":[{"lang":"en","value":"A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-12151"},{"name":"RHBZ#2489980","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489980"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12151.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:35842"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:35841"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:35892"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:35891"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:34342"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36754"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36820"}],"solutions":[{"lang":"en","value":"RHSA-2026:35842: Red Hat Enterprise Linux AppStream (v. 10)"},{"lang":"en","value":"RHSA-2026:35841: Red Hat Enterprise Linux AppStream (v. 10)"},{"lang":"en","value":"RHSA-2026:35892: Red Hat Enterprise Linux AppStream (v. 9)"},{"lang":"en","value":"RHSA-2026:35891: Red Hat Enterprise Linux AppStream (v. 9)"},{"lang":"en","value":"RHSA-2026:34342: Cluster Observability Operator 1.5.0"},{"lang":"en","value":"RHSA-2026:36754: Red Hat Developer Hub 1.10"},{"lang":"en","value":"RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29"}],"timeline":[{"lang":"en","time":"2026-06-17T17:01:45.297Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-17T16:05:38.785Z","value":"Made public."}],"title":"undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-09T12:09:31.221Z"}}]}}