{"uuid": "a38268e6-ebc8-4406-a791-3d1054f352be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-12151", "type": "seen", "source": "https://gist.github.com/alon710/cb38e049872764207b2ad97489bbd503", "content": "# CVE-2026-12151: CVE-2026-12151: Denial of Service via Uncontrolled Fragment Buffering in Undici WebSocket Client\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-12151\n\n## Summary\nA high-severity denial of service vulnerability in the undici WebSocket client (CVE-2026-12151) arises from uncontrolled memory consumption. Although undici validates individual fragment sizes against a cumulative payload limit, it fails to cap the total number of frames in a single message stream. This allows a rogue or compromised WebSocket server to send an infinite sequence of small or empty continuation frames, causing unbounded memory allocation and eventual heap exhaustion on the client process.\n\n## TL;DR\nThe undici WebSocket client does not limit the number of continuation frames per message, enabling a malicious server to crash the client process via heap exhaustion using infinite zero-byte fragments.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400, CWE-770\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 7.5 (High)\n- **EPSS Score**: 0.00284 (Percentile: 19.97%)\n- **Impact**: Denial of Service (OOM Crash)\n- **Exploit Status**: PoC available, no active wild exploitation\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- undici WebSocket client\n- Node.js applications utilizing undici\n- **undici**: >= 6.17.0 < 6.26.0 (Fixed in: `6.26.0`)\n- **undici**: >= 7.0.0 < 7.28.0 (Fixed in: `7.28.0`)\n- **undici**: >= 8.0.0 < 8.5.0 (Fixed in: `8.5.0`)\n\n## Mitigation\n\n- Upgrade to patched undici releases\n- Limit client-side WebSocket connections to trusted domains\n- Deploy external process managers (such as systemd, PM2) with auto-restart policies\n\n**Remediation Steps:**\n1. Identify vulnerable undici installations via 'npm ls undici'\n2. Update dependency requirements in package.json to >= 6.26.0, >= 7.28.0, or >= 8.5.0\n3. Execute 'npm install' or equivalent to apply the patch\n4. Verify correct resolution via 'npm ls undici' and redeploy\n\n## References\n\n- [GHSA-vxpw-j846-p89q](https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q)\n- [OpenJS Foundation Security Advisories](https://cna.openjsf.org/security-advisories.html)\n- [CVE-2026-12151 Record](https://www.cve.org/CVERecord?id=CVE-2026-12151)\n- [NVD - CVE-2026-12151](https://nvd.nist.gov/vuln/detail/CVE-2026-12151)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-12151) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T14:41:40.000000Z"}