{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*",
            "extracted_events": [
              {
                "introduced": "6.17.0"
              },
              {
                "fixed": "6.27.0"
              },
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.28.0"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.5.0"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "0ca9c1e1faa8cac5ed9310dacbe2e9b5cfd4f6b1"
            },
            {
              "fixed": "551138cbc1742c92242a68216167761075e8a82c"
            },
            {
              "introduced": "1cfe0949053aac6267f11b919cee9315a27f1fd6"
            },
            {
              "fixed": "f9eba0ad9134e1c0977848476bba9d49734696e4"
            },
            {
              "introduced": "d7fbba51772deecb830a297647456a5e9f9fec57"
            },
            {
              "fixed": "a0806e1f66a83db0a792b8407c2e97fcf8ed58af"
            }
          ],
          "repo": "https://github.com/nodejs/undici",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-vxpw-j846-p89q"
  ],
  "database_specific": {
    "cna_assigner": "openjs",
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12151.json"
  },
  "details": "Impact:\nThe undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\nPatches: Upgrade to undici \u003e= 6.26.0, \u003e= 7.28.0, or \u003e= 8.5.0. Workarounds:\nNo workaround is available. The fix must be applied through an upgrade.",
  "id": "CVE-2026-12151",
  "modified": "2026-07-11T03:54:26.925382139Z",
  "published": "2026-06-17T16:05:38.785Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12151.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:34342"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:35841"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:35842"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:35891"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:35892"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:36754"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:36820"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/CVE-2026-12151"
    },
    {
      "type": "ADVISORY",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12151.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489980"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "undici WebSocket client vulnerable to denial of service via fragment count bypass"
}