CVE-2026-22036

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-22036
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22036.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-22036
Aliases
Downstream
Related
Published
2026-01-14T19:07:13.745Z
Modified
2026-05-18T05:58:31.449137453Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Details

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

Database specific 
{
    "cwe_ids": [
        "CWE-770"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22036.json"
}
References

Affected packages

Git / github.com/nodejs/undici

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/undici
Events
Introduced
1cfe0949053aac6267f11b919cee9315a27f1fd6
Fixed
7e5cb2d7468633b48679627061d696a0bb45f651

Affected versions

v7.*
v7.0.0
v7.1.0
v7.1.1
v7.10.0
v7.11.0
v7.12.0
v7.13.0
v7.14.0
v7.15.0
v7.16.0
v7.17.0
v7.18.0
v7.18.1
v7.2.0
v7.2.1
v7.2.2
v7.2.3
v7.3.0
v7.4.0
v7.5.0
v7.6.0
v7.7.0
v7.8.0
v7.9.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22036.json"