CVE-2026-1528 HIGH

CVE-2026-1528: undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client

Vendor Undici
Product undici
Weakness CWE-248
Published March 12, 2026
Last update June 30, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Key dates

02Disclosure timeline

March 12, 2026 CVE published
June 30, 2026 Record updated