CVE-2026-22036 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) found in the undici HTTP/1.1 client library for Node.js. Undici versions prior to 6.23.0 and between 7.0.0 and 7.18.2 do not impose limits on the number of links in the decompression chain when handling compressed HTTP responses. This design flaw allows a malicious HTTP server to craft responses with thousands of compression steps, causing the client to consume excessive CPU cycles and allocate large amounts of memory during decompression. The vulnerability can lead to denial of service (DoS) by exhausting system resources, potentially degrading or crashing applications relying on undici for HTTP communication. The issue does not affect confidentiality or integrity, as it is a resource exhaustion problem, and exploitation does not require authentication or user interaction. The CVSS v3.1 score is 3.7 (low), reflecting the network attack vector, high attack complexity, no privileges required, no user interaction, and limited impact to availability. No known exploits have been reported in the wild as of the publication date. The vulnerability was fixed in undici versions 6.23.0 and 7.18.2 by introducing limits on the decompression chain length to prevent resource exhaustion. Organizations using vulnerable undici versions should prioritize upgrading to these fixed releases to mitigate the risk.

For European organizations, the primary impact of CVE-2026-22036 is the risk of denial of service due to excessive CPU and memory consumption when interacting with malicious or compromised HTTP servers. This can lead to application slowdowns, crashes, or unavailability of services relying on Node.js undici for HTTP client functionality. Enterprises using undici in microservices, API clients, or server-side applications that consume external HTTP services are particularly at risk. Although the vulnerability does not compromise data confidentiality or integrity, service disruption can affect business continuity, user experience, and operational efficiency. In sectors such as finance, telecommunications, and e-commerce, where Node.js is widely used, such disruptions could have cascading effects. The low CVSS score and absence of known exploits suggest a limited immediate threat, but the potential for targeted DoS attacks against critical infrastructure or high-value services remains. Organizations should assess their exposure based on undici usage and the trustworthiness of external HTTP endpoints.

To mitigate CVE-2026-22036, European organizations should: 1) Upgrade all instances of undici to version 6.23.0 or 7.18.2 and later, where the decompression chain length is properly limited. 2) Audit and inventory Node.js applications to identify usage of vulnerable undici versions. 3) Implement network-level controls such as firewall rules or proxy filtering to restrict HTTP connections to trusted and verified servers, reducing exposure to malicious endpoints. 4) Monitor application performance and resource usage for unusual spikes that could indicate exploitation attempts. 5) Employ rate limiting and timeout settings on HTTP clients to prevent prolonged resource consumption. 6) Incorporate security testing in CI/CD pipelines to detect usage of vulnerable dependencies. 7) Educate developers about safe handling of compressed HTTP responses and the importance of timely dependency updates. These steps go beyond generic patching by emphasizing proactive network and application-level controls tailored to the vulnerability's exploitation vector.