CVE-2026-22036
HTTP encoding vulnerability in undici (npm)
What is CVE-2026-22036 About?
This vulnerability involves an unbounded decompression chain within the `fetch()` API and undici decompress interceptor, leading to excessive resource consumption. Attackers can exploit this by crafting responses with numerous compression steps, causing high CPU usage and memory allocation. This denial-of-service vulnerability is relatively easy to exploit through specially crafted server responses.
Affected Software
- undici
- <6.23.0
- >=7.0.0, <7.18.2
Technical Details
The fetch() API and the undici decompress interceptor support chained HTTP encoding algorithms, as defined by RFC 9110, allowing multiple Content-Encoding headers (e.g., gzip, br). The vulnerability arises because there is no limit on the number of decompression steps that can be specified in the Content-Encoding header. A malicious server can send a response with thousands of compression steps, such as Content-Encoding: gzip, br, gzip, br, .... When the client (e.g., undici) attempts to decompress this content, it will sequentially invoke each decompression algorithm. This unbounded processing leads to a denial of service due to sustained high CPU utilization and significant memory allocation for intermediate decompression buffers, ultimately exhausting system resources.
What is the Impact of CVE-2026-22036?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to system unresponsiveness, resource exhaustion, and potential crashes for affected services or applications processing malicious HTTP responses.
What is the Exploitability of CVE-2026-22036?
Exploitation of this vulnerability is of medium complexity, primarily requiring control over a server that can send specially crafted HTTP responses. There are no authentication or specific privilege requirements on the client side, as the vulnerability is triggered by how responses are processed. It is a remote exploitation scenario, as the malicious content originates from a remote server. The primary condition for exploitation is that the victim's application uses the vulnerable fetch() API implementation or undici decompress interceptor to process HTTP responses from an untrusted source. The exploitability is increased if the affected system frequently processes data from external, potentially malicious, HTTP endpoints.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-22036?
Available Upgrade Options
- undici
- <6.23.0 → Upgrade to 6.23.0
- undici
- >=7.0.0, <7.18.2 → Upgrade to 7.18.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/nodejs/undici
- https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
- https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
- https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
- https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
- https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
What are Similar Vulnerabilities to CVE-2026-22036?
Similar Vulnerabilities: CVE-2022-32206 , CVE-2019-15903 , CVE-2021-36159 , CVE-2018-1000130 , CVE-2020-25692
