CVE-2026-12151: Denial of Service via Uncontrolled Fragment Buffering in Undici WebSocket Client

The WebSocket protocol (RFC 6455) permits message fragmentation to facilitate the transmission of data streams whose total size is unknown at the start of transmission. The OpenJS Foundation's undici, a high-performance HTTP/1.1, HTTP/2, and WebSocket client for Node.js, implements this specification. To defend against resource exhaustion, undici allows developers to enforce a cumulative payload size limit via the maxPayloadSize parameter.

However, a critical security boundary is missed in the implementation of the WebSocket frame parser. While undici correctly aggregates and checks the total payload size of incoming fragments, it does not enforce any restriction on the absolute quantity of individual frames comprising a single WebSocket message. This gap exposes applications utilizing undici to endpoint denial of service.

An attacker capable of controlling the WebSocket server, or performing a machine-in-the-middle injection on unencrypted channels, can exploit this design flaw. By sending an ongoing stream of small or empty continuation frames, the attacker bypasses the cumulative payload limit check. The client continues to accept these frames, eventually exhausting available heap space and crashing the Node.js runtime environment.

To understand the vulnerability, it is necessary to examine how RFC 6455 structure matches memory allocation patterns in V8. A fragmented WebSocket message begins with an initial frame containing a specific data type opcode (0x1 for text, 0x2 for binary) and a FIN bit set to 0. Subsequent frames carry the continuation opcode (0x0) and a FIN bit of 0, until the final frame arrives with a FIN bit of 1.

In undici, as each continuation frame is parsed, the cumulative size of the payload is updated using the calculation:

$$\text{Cumulative Payload Size} = \sum_{i=1}^{n} \text{payloadLength}(\text{fragment}_i)$$

If this sum exceeds the configured maxPayloadSize, the client halts execution and terminates the connection. This algorithm assumes that a payload-size ceiling is sufficient to constrain memory utilization. However, it fails to account for metadata overhead.

For every frame processed, the underlying engine must allocate memory to track fragment-specific metadata, references, and buffers. If an adversary sends frames where the payload size is zero, the mathematical summation remains well below the maxPayloadSize threshold. The physical heap allocation, however, grows linear to the frame count. The V8 garbage collector cannot free these allocations because they are actively referenced within undici's internal queue waiting for the final frame, which never arrives.

The flaw resides within the logic of the frame parser. Below is a representation of the vulnerable parsing pattern, illustrating how frames are appended without tracking the overall fragment count:

// Vulnerable logic in frame processing
class WebSocketParser {
  constructor(options) {
    this.maxPayloadSize = options.maxPayloadSize || 1048576;
    this._fragments = [];
    this._currentPayloadSize = 0;
  }
 
  onFrame(frame) {
    // Validate cumulative payload size
    this._currentPayloadSize += frame.payloadLength;
    if (this._currentPayloadSize > this.maxPayloadSize) {
      this.destroy(new Error('Max payload size exceeded'));
      return;
    }
 
    // Unbounded storage of frame references
    this._fragments.push(frame);
 
    if (frame.fin) {
      const fullMessage = this.reassemble(this._fragments);
      this.emit('message', fullMessage);
      this.reset();
    }
  }
}

To remediate the vulnerability, the frame parser must introduce a counter representing the total number of frames received for the active message, or explicitly enforce a maximum frame limit. The patched logic below demonstrates how a limit is enforced on the total count of fragments, mitigating the allocation loophole:

// Patched logic incorporating fragment limit validation
class WebSocketParser {
  constructor(options) {
    this.maxPayloadSize = options.maxPayloadSize || 1048576;
    this.maxFragmentCount = options.maxFragmentCount || 1000; // Enforced limit
    this._fragments = [];
    this._currentPayloadSize = 0;
  }
 
  onFrame(frame) {
    // Validate cumulative payload size
    this._currentPayloadSize += frame.payloadLength;
    if (this._currentPayloadSize > this.maxPayloadSize) {
      this.destroy(new Error('Max payload size exceeded'));
      return;
    }
 
    // Prevent unbounded array growth
    if (this._fragments.length >= this.maxFragmentCount) {
      this.destroy(new Error('Max fragment count exceeded'));
      return;
    }
 
    this._fragments.push(frame);
 
    if (frame.fin) {
      const fullMessage = this.reassemble(this._fragments);
      this.emit('message', fullMessage);
      this.reset();
    }
  }
}

By checking both the physical size of the data and the total structure count, the library prevents attackers from inducing unbounded memory states.

An attacker exploiting CVE-2026-12151 requires the targeted undici client to initiate a connection to an attacker-controlled WebSocket server, or a server that is vulnerable to downstream request hijacking. Once the WebSocket connection is established, the server initiates an infinite stream of empty continuation frames.

The attack vector is illustrated in the sequence diagram below:

Because the payload size of each individual frame is zero, the cumulative size calculation never triggers a threshold violation. However, the client allocates a small amount of memory in the heap for each frame's metadata and object wrapper. Over thousands of cycles, this leads to an Out-of-Memory condition.

The security impact of CVE-2026-12151 is classified as High, with a CVSS v3.1 Base Score of 7.5. The primary consequence is the total loss of availability for the application utilizing the undici client. In Node.js environments, an Out-of-Memory error results in a fatal error, which abruptly terminates the entire process.

If the affected Node.js service is responsible for handling critical backend integrations, message consumption, or user-facing APIs, the crash results in an immediate service disruption. Unless robust external process monitoring (such as systemd, PM2, or Kubernetes Pod orchestrators) is in place to auto-restart the process, the denial of service remains permanent.

Even with automated recovery mechanisms, an attacker can continuously exploit the loop upon client reconnection, creating a persistent denial of service state. This attack requires zero privileges and no user interaction, making it highly attractive for attackers targeting webhook handlers or client-side integrations that connect to user-supplied URLs.

To remediate CVE-2026-12151, developers must upgrade the undici package to the designated non-vulnerable versions. No configuration workarounds exist that can mitigate this flaw within the affected versions, as the vulnerability lies deep within the framing state machine.

Upgrade paths based on major version lines are as follows:

• If using undici v6.x: Upgrade to v6.26.0 or later.
• If using undici v7.x: Upgrade to v7.28.0 or later.
• If using undici v8.x: Upgrade to v8.5.0 or later.

To verify the current version of undici installed in a project, run the following npm CLI command:

npm ls undici

If indirect or transient dependencies pull in a vulnerable version, developers can enforce resolutions in their package.json using NPM overrides or Yarn resolutions to force the safe version.