Skip to content

CVE-2026-12151 (HIGH): detected in Lambda Docker Images. #578

Description

@the-lambda-watchdog

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2026-12151 HIGH undici 6.25.0 6.27.0, 7.28.0, 8.5.0 2026-06-17T17:16:42.37Z 2026-06-23T10:18:18.216181542Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/nodejs:24 public.ecr.aws/lambda/nodejs@sha256:904f7a98db07d37b59bf7edd90ed97bbba1cb574fd86db462205c68cfc55486c

Description

Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.

Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.

All releases starting at undici 6.17.0 are affected.

Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:
No workaround is available. The fix must be applied through an upgrade.


Remediation Steps

  • Update the affected package undici from version 6.25.0 to 6.27.0, 7.28.0, 8.5.0.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions