CVE-2026-22036: CWE-770: Allocation of Resources Without Limits or Throttling in nodejs undici
CVE-2026-22036 is a medium severity vulnerability in the Node. js HTTP client library undici, affecting versions prior to 6. 23. 0 and between 7. 0. 0 and 7. 18. 2. The flaw arises from an unbounded decompression chain during HTTP response processing, allowing a malicious server to trigger excessive CPU and memory consumption by inserting thousands of compression steps. This resource exhaustion can lead to denial of service without requiring authentication or user interaction.
AI Analysis
Technical Summary
CVE-2026-22036 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) found in the undici HTTP/1.1 client library for Node.js. The issue exists in undici versions prior to 6.23.0 and between 7.0.0 and 7.18.2, where the decompression chain length is unbounded when processing HTTP responses. Specifically, the default maxHeaderSize setting allows a malicious HTTP server to craft responses with thousands of compression steps, causing the client to allocate excessive memory and consume high CPU resources during decompression. This leads to a denial-of-service (DoS) condition by exhausting system resources. The vulnerability does not impact confidentiality or integrity but severely affects availability. Exploitation requires no authentication or user interaction and can be triggered remotely by connecting to a malicious or compromised HTTP server. The vulnerability was publicly disclosed on January 14, 2026, with a CVSS v3.1 base score of 5.9 (medium severity), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability. The issue is resolved in undici versions 6.23.0 and 7.18.2 by introducing limits on the decompression chain length and improving resource management during decompression.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to availability of services that rely on Node.js applications using vulnerable undici versions for HTTP client functionality. Organizations that consume HTTP responses from external or untrusted servers—such as API clients, microservices, or proxy services—may experience service outages or degraded performance due to resource exhaustion. This can disrupt business operations, impact customer-facing services, and potentially cause cascading failures in distributed systems. The vulnerability does not expose sensitive data or allow unauthorized code execution, but denial of service can have significant operational and reputational consequences. Sectors with high reliance on Node.js for web services, including finance, telecommunications, and e-commerce, may be particularly impacted. Additionally, cloud and hosting providers running Node.js workloads could see increased incident response costs and service level agreement (SLA) violations if exploited.
Mitigation Recommendations
The primary mitigation is to upgrade undici to version 6.23.0 or later, or 7.18.2 or later, where the vulnerability is fixed. Organizations should audit their Node.js dependencies to identify and remediate vulnerable undici versions promptly. In addition, implement network-level protections such as firewall rules or proxy filtering to restrict connections to trusted HTTP servers and block suspicious or untrusted endpoints that could serve malicious responses. Employ runtime monitoring and resource usage alerts to detect abnormal CPU or memory consumption in Node.js processes. Consider configuring Node.js application-level timeouts and limits on response sizes to reduce impact. For environments where immediate upgrade is not feasible, isolating vulnerable services in containers or sandboxes with resource limits can help contain potential DoS effects. Regularly review and update dependency management practices to prevent introduction of vulnerable versions in the future.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain
CVE-2026-22036: CWE-770: Allocation of Resources Without Limits or Throttling in nodejs undici
Description
CVE-2026-22036 is a medium severity vulnerability in the Node. js HTTP client library undici, affecting versions prior to 6. 23. 0 and between 7. 0. 0 and 7. 18. 2. The flaw arises from an unbounded decompression chain during HTTP response processing, allowing a malicious server to trigger excessive CPU and memory consumption by inserting thousands of compression steps. This resource exhaustion can lead to denial of service without requiring authentication or user interaction.
AI-Powered Analysis
Technical Analysis
CVE-2026-22036 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) found in the undici HTTP/1.1 client library for Node.js. The issue exists in undici versions prior to 6.23.0 and between 7.0.0 and 7.18.2, where the decompression chain length is unbounded when processing HTTP responses. Specifically, the default maxHeaderSize setting allows a malicious HTTP server to craft responses with thousands of compression steps, causing the client to allocate excessive memory and consume high CPU resources during decompression. This leads to a denial-of-service (DoS) condition by exhausting system resources. The vulnerability does not impact confidentiality or integrity but severely affects availability. Exploitation requires no authentication or user interaction and can be triggered remotely by connecting to a malicious or compromised HTTP server. The vulnerability was publicly disclosed on January 14, 2026, with a CVSS v3.1 base score of 5.9 (medium severity), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability. The issue is resolved in undici versions 6.23.0 and 7.18.2 by introducing limits on the decompression chain length and improving resource management during decompression.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to availability of services that rely on Node.js applications using vulnerable undici versions for HTTP client functionality. Organizations that consume HTTP responses from external or untrusted servers—such as API clients, microservices, or proxy services—may experience service outages or degraded performance due to resource exhaustion. This can disrupt business operations, impact customer-facing services, and potentially cause cascading failures in distributed systems. The vulnerability does not expose sensitive data or allow unauthorized code execution, but denial of service can have significant operational and reputational consequences. Sectors with high reliance on Node.js for web services, including finance, telecommunications, and e-commerce, may be particularly impacted. Additionally, cloud and hosting providers running Node.js workloads could see increased incident response costs and service level agreement (SLA) violations if exploited.
Mitigation Recommendations
The primary mitigation is to upgrade undici to version 6.23.0 or later, or 7.18.2 or later, where the vulnerability is fixed. Organizations should audit their Node.js dependencies to identify and remediate vulnerable undici versions promptly. In addition, implement network-level protections such as firewall rules or proxy filtering to restrict connections to trusted HTTP servers and block suspicious or untrusted endpoints that could serve malicious responses. Employ runtime monitoring and resource usage alerts to detect abnormal CPU or memory consumption in Node.js processes. Consider configuring Node.js application-level timeouts and limits on response sizes to reduce impact. For environments where immediate upgrade is not feasible, isolating vulnerable services in containers or sandboxes with resource limits can help contain potential DoS effects. Regularly review and update dependency management practices to prevent introduction of vulnerable versions in the future.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-05T22:30:38.719Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6967ebd9f809b25a98d9ca09
Added to database: 1/14/2026, 7:17:45 PM
Last enriched: 1/29/2026, 8:42:34 AM
Last updated: 2/7/2026, 3:24:09 PM
Views: 35
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2089: SQL Injection in SourceCodester Online Class Record System
MediumCVE-2026-2088: SQL Injection in PHPGurukul Beauty Parlour Management System
MediumCVE-2026-2087: SQL Injection in SourceCodester Online Class Record System
MediumCVE-2026-2086: Buffer Overflow in UTT HiPER 810G
HighOrganizations Urged to Replace Discontinued Edge Devices
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.