CVE-2026-1528

Published: Mar 12, 2026 Last Modified: Mar 12, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,5

Source: ce714d77-add3-4f53-aff5-83d477b104bb

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

248

Uncaught Exception

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Confidentiality

Potential Impacts:

Dos: Crash, Exit, Or Restart Read Application Data

Applicable Platforms

Languages: C#, C++, Java

View CWE Details

1284

Improper Validation of Specified Quantity in Input

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Other Integrity Availability

Potential Impacts:

Varies By Context Dos: Resource Consumption (Cpu) Modify Memory Read Memory

Applicable Platforms

All platforms may be affected

View CWE Details

https://cna.openjsf.org/security-advisories.html

https://github.com/nodejs/undici/security/advisories/GHSA-f…

https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj

https://hackerone.com/reports/3537648

CVE-2026-1528

Description

Uncaught Exception

Common Consequences

Applicable Platforms

Improper Validation of Specified Quantity in Input

Common Consequences

Applicable Platforms

Iscriviti alla newsletter