Fluid Attacks Database

Description

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

https://hackerone.com/reports/3456148

https://github.com/advisories/GHSA-gm62-xv2j-4w53

https://curl.se/docs/CVE-2022-32206.html

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	undici	>=7.0.0 <7.18.2 \|\| >=0 <6.23.0	7.18.2, 6.23.0
debian 12	node-undici	=5.15.0+dfsg1+~cs20.10.9.3-1 \|\| =5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1 \|\| =5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2 \|\| =5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 \|\| =5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 \|\| =5.19.1+dfsg1+~cs20.10.9.5-1 \|\| =5.19.1+dfsg1+~cs20.10.9.5-2 \|\| =5.22.1+dfsg1+~cs20.10.10.2-1 \|\| =5.26.3+dfsg1+~cs23.10.12-1 \|\| =5.26.3+dfsg1+~cs23.10.12-2 \|\| =5.26.3+dfsg1+~cs23.10.12-3 \|\| =5.28.0+dfsg1+~cs23.11.12.3-1 \|\| =5.28.0+dfsg1+~cs23.11.12.3-2 \|\| =5.28.2+dfsg1+~cs23.11.12.3-1 \|\| =5.28.2+dfsg1+~cs23.11.12.3-2 \|\| =5.28.2+dfsg1+~cs23.11.12.3-3 \|\| =5.28.2+dfsg1+~cs23.11.12.3-4 \|\| =5.28.2+dfsg1+~cs23.11.12.3-5 \|\| =5.28.2+dfsg1+~cs23.11.12.3-6 \|\| =5.28.4+dfsg1+~cs23.12.11-1 \|\| =5.28.4+dfsg1+~cs23.12.11-2 \|\| =7.1.0+dfsg1+~cs24.12.10-1 \|\| =7.15.0+dfsg+~cs3.2.0-1 \|\| =7.15.0+dfsg+~cs3.2.0-3 \|\| =7.16.0+dfsg+~cs3.2.0-1 \|\| =7.16.0+dfsg+~cs3.2.0-2 \|\| =7.18.2+dfsg+~cs3.2.0-1 \|\| =7.2.3+dfsg1+~cs24.12.11-1 \|\| =7.2.3+dfsg1+~cs24.12.11-2 \|\| =7.24.5+dfsg+~cs3.2.0-1 \|\| =7.24.6+dfsg+~cs3.2.0-1 \|\| =7.24.6+dfsg+~cs3.2.0-2 \|\| =7.3.0+dfsg1+~cs24.12.11-1 \|\| =7.3.0+dfsg1+~cs24.12.11-2	-
debian 14	node-undici	=7.15.0+dfsg+~cs3.2.0-1 \|\| =7.15.0+dfsg+~cs3.2.0-3 \|\| =7.16.0+dfsg+~cs3.2.0-1 \|\| =7.16.0+dfsg+~cs3.2.0-2 \|\| =7.3.0+dfsg1+~cs24.12.11-1 \|\| =7.3.0+dfsg1+~cs24.12.11-2 \|\| >=0 <7.18.2+dfsg+~cs3.2.0-1	7.18.2+dfsg+~cs3.2.0-1
debian 13	node-undici	=7.15.0+dfsg+~cs3.2.0-1 \|\| =7.15.0+dfsg+~cs3.2.0-3 \|\| =7.16.0+dfsg+~cs3.2.0-1 \|\| =7.16.0+dfsg+~cs3.2.0-2 \|\| =7.18.2+dfsg+~cs3.2.0-1 \|\| =7.24.5+dfsg+~cs3.2.0-1 \|\| =7.24.6+dfsg+~cs3.2.0-1 \|\| =7.24.6+dfsg+~cs3.2.0-2 \|\| =7.3.0+dfsg1+~cs24.12.11-1 \|\| =7.3.0+dfsg1+~cs24.12.11-2	-
rpm rhel10	nodejs22	-	-
rpm rhel10	nodejs24	-	-
rpm rhel8	nodejs	-	-
rpm rhel9	nodejs	-	-

Aliases

1. CVE-2026-220362. NVD-2026-220363. OSV-2026-220364. OSV-DEBIAN-2026-220365. GHSA-g9mf-h72j-4rw96. GCVE-2026-220367. SECURITY-TRACKER-CVE-2026-22036

References

1. https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw92. https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3