CVE-2026-2229

{"id": "CVE-2026-2229", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-12T21:16:25.573", "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "tags": ["Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://datatracker.ietf.org/doc/html/rfc7692", "tags": ["Technical Description"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8", "tags": ["Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://hackerone.com/reports/3487486", "tags": ["Permissions Required"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://nodejs.org/api/zlib.html#class-zlibinflateraw", "tags": ["Technical Description"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "description": [{"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-1284"}]}], "descriptions": [{"lang": "en", "value": "ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the\u00a0server_max_window_bits\u00a0parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range\u00a0server_max_window_bits\u00a0value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.\n\nThe vulnerability exists because:\n\n * The\u00a0isValidClientWindowBits()\u00a0function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15\n * The\u00a0createInflateRaw()\u00a0call is not wrapped in a try-catch block\n * The resulting exception propagates up through the call stack and crashes the Node.js process"}, {"lang": "es", "value": "Impacto\nEl cliente WebSocket undici es vulnerable a un ataque de denegaci\u00f3n de servicio debido a la validaci\u00f3n incorrecta del par\u00e1metro server_max_window_bits en la extensi\u00f3n permessage-deflate. Cuando un cliente WebSocket se conecta a un servidor, anuncia autom\u00e1ticamente soporte para la compresi\u00f3n permessage-deflate. Un servidor malicioso puede responder con un valor server_max_window_bits fuera de rango (fuera del rango v\u00e1lido de zlib de 8-15). Cuando el servidor env\u00eda posteriormente un frame comprimido, el cliente intenta crear una instancia zlib InflateRaw con el valor windowBits no v\u00e1lido, causando una excepci\u00f3n RangeError s\u00edncrona que no es capturada, lo que resulta en la terminaci\u00f3n inmediata del proceso.\n\nLa vulnerabilidad existe porque:\n\n * La funci\u00f3n isValidClientWindowBits() solo valida que el valor contiene d\u00edgitos ASCII, no que caiga dentro del rango v\u00e1lido 8-15\n * La llamada a createInflateRaw() no est\u00e1 envuelta en un bloque try-catch\n * La excepci\u00f3n resultante se propaga a trav\u00e9s de la pila de llamadas y bloquea el proceso de Node.js"}], "lastModified": "2026-03-20T15:39:12.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C08CE582-019D-4A06-910A-6010C2D6EF4F", "versionEndExcluding": "6.24.0"}, {"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "F016E7D9-C45A-4DEF-9AD8-F0581AF5E509", "versionEndExcluding": "7.24.0", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb"}