CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-12151 |
HIGH |
undici |
6.25.0 |
6.27.0, 7.28.0, 8.5.0 |
2026-06-17T17:16:42.37Z |
2026-06-23T10:18:18.216181542Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:904f7a98db07d37b59bf7edd90ed97bbba1cb574fd86db462205c68cfc55486c |
Description
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:
No workaround is available. The fix must be applied through an upgrade.
Remediation Steps
- Update the affected package
undici from version 6.25.0 to 6.27.0, 7.28.0, 8.5.0.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
CVE Details
HIGHundici6.25.06.27.0, 7.28.0, 8.5.02026-06-17T17:16:42.37Z2026-06-23T10:18:18.216181542ZAffected Docker Images
public.ecr.aws/lambda/nodejs:24public.ecr.aws/lambda/nodejs@sha256:904f7a98db07d37b59bf7edd90ed97bbba1cb574fd86db462205c68cfc55486cDescription
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:
No workaround is available. The fix must be applied through an upgrade.
Remediation Steps
undicifrom version6.25.0to6.27.0, 7.28.0, 8.5.0.About this issue