VDB
DEBIAN-CVE-2026-22036
DEBIAN-CVE-2026-22036
PUBLISHED
CVSS 7.5 HIGH
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | node-undici | *, *, * |
| Debian:14 | node-undici | 7.15.0+dfsg+~cs3.2.0-1, 7.15.0+dfsg+~cs3.2.0-3, 7.16.0+dfsg+~cs3.2.0-1 |
| Debian:12 | node-undici | 5.15.0+dfsg1, 5.15.0+dfsg1, 5.15.0+dfsg1 |
Timeline
- Jan 14, 2026 CVE Published
- Apr 28, 2026 CVE Updated