CVE Vulnerabilities

CVE-2026-12151

Uncontrolled Resource Consumption

Published: Jun 17, 2026 | Modified: Jul 16, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.

Affected applications are those using the undici WebSocket client (new WebSocket(…)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.

All releases starting at undici 6.17.0 are affected.

Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

NameVendorStart VersionEnd Version
UndiciNodejs6.17.0 (including)6.27.0 (excluding)
UndiciNodejs7.0.0 (including)7.28.0 (excluding)
UndiciNodejs8.0.0 (including)8.5.0 (excluding)
Red Hat Enterprise Linux 10RedHatnodejs24-1:24.18.0-1.el10_2*
Red Hat Enterprise Linux 10RedHatnodejs22-1:22.23.1-2.el10_2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatnodejs22-1:22.23.1-2.el10_0*
Red Hat Enterprise Linux 8RedHatnodejs:24-8100020260630152626.6d880403*
Red Hat Enterprise Linux 9RedHatnodejs:24-9080020260626074955.rhel9*
Red Hat Enterprise Linux 9RedHatnodejs:22-9080020260626075442.rhel9*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9:1782840519*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9:1782839981*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9:1782839193*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/distributed-tracing-console-plugin-rhel9:1782838753*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/logging-console-plugin-pf4-rhel9:1782839279*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/logging-console-plugin-pf5-rhel9:1782840539*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/logging-console-plugin-rhel9:1782841925*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/monitoring-console-plugin-pf5-rhel9:1782844225*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/monitoring-console-plugin-pf6-rhel9:1782839658*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/monitoring-console-plugin-rhel9:1782838476*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/troubleshooting-panel-console-plugin-pf6-rhel9:1782839996*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/troubleshooting-panel-console-plugin-rhel9:1782839494*
Red Hat Developer Hub 1.10RedHatrhdh/rhdh-hub-rhel9:1783448184*
Red Hat Hardened ImagesRedHatnodejs26-main-26.5.0-1.3.hum1*
Red Hat Hardened ImagesRedHatnodejs24-main-24.18.0-0.3.hum1*
Red Hat OpenShift Container Platform 4.16RedHatopenshift4/ose-monitoring-plugin-rhel9:1783306396*
Red Hat OpenShift Dev Spaces 3.29RedHatdevspaces/dashboard-rhel9:1782498792*
Red Hat OpenShift Dev Spaces 3.29RedHatdevspaces/openvsx-rhel9:1783007534*
Red Hat OpenShift Dev Spaces 3.29RedHatdevspaces/pluginregistry-rhel9:1782989367*
Node-undiciUbuntuquesting*

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References