CVE-2026-22036

Death by a Thousand Gzips: The Node.js Undici Decompression Loop

Alon Barad
Alon Barad
Software Engineer

Jan 15, 2026·6 min read·6 visits

Executive Summary (TL;DR)

Undici, the engine behind Node.js's native `fetch()`, failed to limit the number of decompression steps it would perform on a response. By sending a header like `Content-Encoding: gzip, gzip, ...` repeated thousands of times, an attacker can force the client to allocate thousands of stream objects, leading to high CPU usage and eventual process crashes (DoS). The fix introduces a hard limit of 5 encoding layers.

A resource exhaustion vulnerability in the Undici HTTP client allows malicious servers to crash Node.js applications by supplying an excessive number of compression layers in the Content-Encoding header.

Official Patches

Node.js / UndiciOfficial patch commit limiting encoding chain

Fix Analysis (1)

Technical Appendix

CVSS Score
3.7/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Probability
0.04%
Top 100% most exploited

Affected Systems

Node.js Applications using global fetch()Undici (v7.x < 7.18.0)Undici (v6.x < 6.23.0)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Undici
Node.js
>= 7.0.0, < 7.18.07.18.0
Undici
Node.js
< 6.23.06.23.0
AttributeDetail
CWE IDCWE-770
Attack VectorNetwork
CVSS3.7 (Low)
ImpactDenial of Service (DoS)
Componentlib/interceptor/decompress.js
Limit Introduced5 Encodings

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1499.003Application Exhaustion Flood
Impact
CWE-770
Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling

Known Exploits & Detection

TheoryTheoretical exploit via Flask server sending repeated gzip headers

Vulnerability Timeline

Fix authored by Matteo Collina
2026-01-06
CVE and GHSA Published
2026-01-14

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.