GHSA-g9mf-h72j-4rw9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g9mf-h72j-4rw9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-g9mf-h72j-4rw9/GHSA-g9mf-h72j-4rw9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g9mf-h72j-4rw9
- Aliases
- Downstream
- Related
- Published
- 2026-01-14T21:06:08Z
- Modified
- 2026-01-21T17:05:40.938446Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
- Details
-
Impact
The
fetch()API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.
Patches
Upgrade to 7.18.2 or 6.23.0.
Workarounds
It is possible to apply an undici interceptor and filter long
Content-Encodingsequences manually.References
- https://hackerone.com/reports/3456148
- https://github.com/advisories/GHSA-gm62-xv2j-4w53
- https://curl.se/docs/CVE-2022-32206.html
- Database specific
{ "cwe_ids": [ "CWE-770" ], "severity": "LOW", "nvd_published_at": "2026-01-14T19:16:47Z", "github_reviewed": true, "github_reviewed_at": "2026-01-14T21:06:08Z" }- References
Affected packages
npm / undici
Package
- Name
- undici
- View open source insights on deps.dev
- Purl
- pkg:npm/undici
npm / undici
Package
- Name
- undici
- View open source insights on deps.dev
- Purl
- pkg:npm/undici