CVE-2026-2229
Published: March 12th, 2026
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
* The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
* The createInflateRaw() call is not wrapped in a try-catch block
* The resulting exception propagates up through the call stack and crashes the Node.js process
HIGH
CVSS v3: 7.5
CVSS v3: 7.5
Status
| DocFilters Release | Package | State | Justification | Comment |
|---|---|---|---|---|
| 0.0.0.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 26.1.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 26.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 25.4 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 25.3 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 25.2 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 25.1.2 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 25.1.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 25.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 24.4 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 24.4.0 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 24.3 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 24.2.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 24.2 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 24.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 23.3 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 23.2.1 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 23.2 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 23.1 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 22.4 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 22.3 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 22.2 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 22.1 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 21.11.1 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 21.11 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 21.8.1 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 21.8 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 21.5.1 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 21.5.0 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 21.2.0 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.20 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.19.3667 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.18.3599 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.17 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.16.3445 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.15.3368 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.14.3263 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.13.3179 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.12.3054 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.11.3040 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.11.2990 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.10.2934 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.9.2878 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
| 11.4.8.2822 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-2229 is specific to the undici Node.js HTTP/WebSocket client (npm package), which fails to validate the server_max_window_bits parameter before passing it to zlib InflateRaw. The vulnerability is in undici’s JavaScript code, not in the zlib C library itself. Document Filters does not use undici, Node.js, or any WebSocket client. Document Filters uses zlib 1.3 as a C library for compression/decompression and always passes valid windowBits values to inflateInit2(). |
Severity score breakdown
Attack Complexity
LOW
Attack Vector
NETWORK
Availability Impact
HIGH
Base Score
7.5
Base Severity
HIGH
Confidentiality Impact
NONE
Integrity Impact
NONE
Privileges Required
NONE
Scope
UNCHANGED
User Interaction
NONE
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version
3.1