{"vulnerability": "CVE-2026-12151", "sightings": [{"uuid": "a7890d05-e351-4c61-8983-fad9f13e9756", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-12151", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3moiyi3y4jq27", "content": "CVE-2026-12151 - undici WebSocket client vulnerable to denial of service via fragment count bypass\nCVE ID : CVE-2026-12151\n \n Published : June 17, 2026, 4:05 p.m. | 1\u00a0hour, 36\u00a0minutes ago\n \n Description : Impact:\nThe undici WebSocket client enforces maxPayloadSize on the cumul...", "creation_timestamp": "2026-06-17T18:55:58.300124Z"}, {"uuid": "f602cc5a-d32e-4924-81ca-449e6dc42e2d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-12151", "type": "seen", "source": "https://bsky.app/profile/ulisesgascon.com/post/3moipe7e5is2g", "content": "\ud83d\udea8 High-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released!\n\nPatches CVE-2026-12151. undici WebSocket client vulnerable to denial of service via fragment count bypass.\n\ngithub.com/nodejs/undic...", "creation_timestamp": "2026-06-17T16:12:44.124995Z"}, {"uuid": "5f4e36a0-89cc-452f-ac09-7d72efd1878e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-12151", "type": "seen", "source": "https://bsky.app/profile/nodeland.dev/post/3mol72mtyb62f", "content": "\ud83d\udfe0 High: WebSocket DoS (CVE-2026-12151).\nA malicious server could send unlimited tiny/empty fragments. We capped total payload size but not fragment *count* \u2192 unbounded memory growth.\nAffects v6/v7/v8. No workaround \u2014 upgrade.", "creation_timestamp": "2026-06-18T15:59:01.750896Z"}, {"uuid": "a38268e6-ebc8-4406-a791-3d1054f352be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-12151", "type": "seen", "source": "https://gist.github.com/alon710/cb38e049872764207b2ad97489bbd503", "content": "# CVE-2026-12151: CVE-2026-12151: Denial of Service via Uncontrolled Fragment Buffering in Undici WebSocket Client\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-12151\n\n## Summary\nA high-severity denial of service vulnerability in the undici WebSocket client (CVE-2026-12151) arises from uncontrolled memory consumption. Although undici validates individual fragment sizes against a cumulative payload limit, it fails to cap the total number of frames in a single message stream. This allows a rogue or compromised WebSocket server to send an infinite sequence of small or empty continuation frames, causing unbounded memory allocation and eventual heap exhaustion on the client process.\n\n## TL;DR\nThe undici WebSocket client does not limit the number of continuation frames per message, enabling a malicious server to crash the client process via heap exhaustion using infinite zero-byte fragments.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400, CWE-770\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 7.5 (High)\n- **EPSS Score**: 0.00284 (Percentile: 19.97%)\n- **Impact**: Denial of Service (OOM Crash)\n- **Exploit Status**: PoC available, no active wild exploitation\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- undici WebSocket client\n- Node.js applications utilizing undici\n- **undici**: >= 6.17.0 < 6.26.0 (Fixed in: `6.26.0`)\n- **undici**: >= 7.0.0 < 7.28.0 (Fixed in: `7.28.0`)\n- **undici**: >= 8.0.0 < 8.5.0 (Fixed in: `8.5.0`)\n\n## Mitigation\n\n- Upgrade to patched undici releases\n- Limit client-side WebSocket connections to trusted domains\n- Deploy external process managers (such as systemd, PM2) with auto-restart policies\n\n**Remediation Steps:**\n1. Identify vulnerable undici installations via 'npm ls undici'\n2. Update dependency requirements in package.json to >= 6.26.0, >= 7.28.0, or >= 8.5.0\n3. Execute 'npm install' or equivalent to apply the patch\n4. Verify correct resolution via 'npm ls undici' and redeploy\n\n## References\n\n- [GHSA-vxpw-j846-p89q](https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q)\n- [OpenJS Foundation Security Advisories](https://cna.openjsf.org/security-advisories.html)\n- [CVE-2026-12151 Record](https://www.cve.org/CVERecord?id=CVE-2026-12151)\n- [NVD - CVE-2026-12151](https://nvd.nist.gov/vuln/detail/CVE-2026-12151)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-12151) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T14:41:40.000000Z"}]}