You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
WebSocket DoS via fragment count bypass — CVE-2026-12151
GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix:32dbf0b3websocket: limit the number of fragments in a message (also c5ed7875handle empty fragments and stream limits)
A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.
Affected: applications using new WebSocket(...) or WebSocketStream
against untrusted endpoints.
Workaround: none — upgrade is required.
WebSocket DoS via cumulative fragment bypass — CVE-2026-9675
GHSA-38rv-x7px-6hhq · CWE-400, CWE-770
Fix:b4c287b3fix(websocket): enforce max payload size across fragments
Undici validated the size of individual frames but did not track cumulative size
across a fragmented message. An attacker could send many small fragments that
each pass per-frame validation but collectively exceed the configured limit,
causing memory exhaustion. This is a regression introduced in 8.1.0 (the
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update Javascript code
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps undici from 8.0.2 to 8.5.0.
Release notes
Sourced from undici's releases.
... (truncated)
Commits
a0806e1Bumped v8.5.0 (#5429)8a0392ctest: detect available python command in wpt runner (#5427)f4045b9ci: increase Node.js workflow timeout (#5426)363e44fchore: removed repro-h2-pipelining-default.mjs and lint (#5420)c5ed787websocket: handle empty fragments and stream limitse114e77align EventSource with spec (#5418)6df53c5fix: preserve h2 queue on out-of-order completion (#5410)32dbf0bwebsocket: limit the number of fragments in a message0d6ecc5add bodymixin.textStream() (#5416)42d4955fix: honor requestTls when proxy is SOCKS5