CVE-2026-1526— undici 安全漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-1526の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression
ソース: NVD (National Vulnerability Database)
脆弱性説明
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
对高度压缩数据的处理不恰当(数据放大攻击)
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
undici 安全漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
undici是Node.js开源的一个HTTP/1.1客户端。 undici存在安全漏洞,该漏洞源于在permessage-deflate解压缩期间存在无限制内存消耗,可能导致恶意WebSocket服务器发送小型压缩帧,使Node.js进程耗尽内存并崩溃或无响应。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
II. CVE-2026-1526の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-1526のインテリジェンス情報
请登录查看更多情报信息。
Same Patch Batch · undici · 2026-03-12 · 6 CVEs total
| CVE-2026-1528 | 7.5 HIGH | undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and cras |
| CVE-2026-2229 | 7.5 HIGH | undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid serv |
| CVE-2026-1525 | 6.5 MEDIUM | undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Respon |
| CVE-2026-2581 | 5.9 MEDIUM | undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler v |
| CVE-2026-1527 | 4.6 MEDIUM | undici is vulnerable to CRLF Injection via upgrade option |
IV. 関連脆弱性
同じ製品: undici
- CVE-2026-2229
undici is vulnerable to Unhandled Exception in undici WebSoc - CVE-2026-1528
undici is vulnerable to Malicious WebSocket 64-bit length ov - CVE-2026-1527
undici is vulnerable to CRLF Injection via upgrade option - CVE-2026-2581
undici is vulnerable to Unbounded Memory Consumption in in U - CVE-2026-1525
undici is vulnerable to Inconsistent Interpretation of HTTP
同じベンダー: undici
- CVE-2026-2229
undici is vulnerable to Unhandled Exception in undici WebSoc - CVE-2026-1528
undici is vulnerable to Malicious WebSocket 64-bit length ov - CVE-2026-1527
undici is vulnerable to CRLF Injection via upgrade option - CVE-2026-2581
undici is vulnerable to Unbounded Memory Consumption in in U - CVE-2026-1525
undici is vulnerable to Inconsistent Interpretation of HTTP
同じ弱点: CWE-409
- CVE-2026-27460
Tandoor Recipes Affected by Denial of Service via Recipe Imp - CVE-2026-40148
PraisonAI Affected by Decompression Bomb DoS via Recipe Bund - CVE-2026-39373
JWCrypto: JWE ZIP decompression bomb - CVE-2026-3114
Zip Bomb Denial of Service via Unrestricted Archive Decompre - CVE-2026-32044
OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills In
V. CVE-2026-1526へのコメント
まだコメントはありません