CVE-2026-2229

Description

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of theserver_max_window_bitsparameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-rangeserver_max_window_bitsvalue (outside zlibs valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.The vulnerability exists because: * TheisValidClientWindowBits()function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * ThecreateInflateRaw()call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process

Risk Information

Base Score

7.5

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

Exploitation Probability

0.186

Associated Vulnerability

Vulnerability	OS Platform
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 13.0.6.2	Windows

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234