NVD - CVE-2026-1528 (original) (raw)
Initial Analysis by NIST 3/20/2026 11:41:40 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | OR *cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:* versions up to (excluding) 6.24.0 *cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:* versions from (including) 7.0.0 up to (excluding) 7.24.0 | |
| Added | Reference Type | openjs: https://cna.openjsf.org/security-advisories.html Types: Vendor Advisory | |
| Added | Reference Type | openjs: https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj Types: Vendor Advisory | |
| Added | Reference Type | openjs: https://hackerone.com/reports/3537648 Types: Permissions Required |
New CVE Received from openjs 3/12/2026 5:16:25 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later. | |
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | |
| Added | CWE | CWE-248 | |
| Added | CWE | CWE-1284 | |
| Added | Reference | https://cna.openjsf.org/security-advisories.html | |
| Added | Reference | https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj | |
| Added | Reference | https://hackerone.com/reports/3537648 |