SCA: security update for undici (GHSA-vrm6-8vpv-qv8q)

high Tenable Cloud Security Plugin ID 438784

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption
during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate
extension, the client decompresses incoming compressed frames without enforcing any limit on the
decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression
bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available
memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress()
method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer
without checking whether the total size exceeds a safe threshold. (CVE-2026-1526)

Solution

Update the undici library and its related packages to version 6.24.0 or later.

See Also

https://github.com/advisories/GHSA-vrm6-8vpv-qv8q

Plugin Details

Severity: High

ID: 438784

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/14/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.72

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-1526

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/13/2026

Vulnerability Publication Date: 3/12/2026

Reference Information

CVE: CVE-2026-1526

cwe: CWE-409