Security Advisory

CVE-2026-22036

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-01-14 19:07:13

Last updated 2026-01-22 20:17:20

Assigner GitHub_M

State PUBLISHED

Description

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

← Browse all CVEs View on cve.org ↗