Home > Vulnerability Database > CVE-2026-22036

Mend.io Vulnerability Database

CVE-2026-22036

Good to know:

Date: January 14, 2026

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

Severity Score

5.9

Related Resources (5)

Url: https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3

Url: https://github.com/nodejs/undici

Url: https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22036

Url: https://www.mend.io/vulnerability-database/CVE-2026-22036

Severity Score

5.9

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version undici - 7.18.2;undici - 6.23.0;https://github.com/nodejs/undici.git - v7.18.2;https://github.com/nodejs/undici.git - v6.23.0

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22036

Good to know:

Date: January 14, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?