CNNVD-202601-2379 Information

CNNVD ID

CNNVD-202601-2379

Related CVE

CVE-2026-22036

• CNNVD Published: 2026-01-14

Description (Chinese)

undici是Node.js开源的一个HTTP/1.1客户端。 undici 7.18.0之前版本和6.23.0之前版本存在安全漏洞，该漏洞源于解压缩链中链接数量无限制，可能导致高CPU使用率和内存过度分配。

Description (English)

Undici is an open source HTTP/1.1 client for Node.js. Undici before 7.18.0 and before 6.23.0 there is a security loophole, which stems from the unlimited number of links in the decompression chain, which may lead to high CPU usage and overallocation of memory.

Hazard Level

Critical

Vulnerability Type

其他

Affected Vendor

Node.js

Published

2026-01-14

Last Modified

2026-02-24

References

https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3 https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9

Patch

https://github.com/nodejs/undici/releases