Headline
GHSA-g9mf-h72j-4rw9: Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Impact
The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.
However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.
Patches
Upgrade to 7.18.2 or 6.23.0.
Workarounds
It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.
References
- https://hackerone.com/reports/3456148
- https://github.com/advisories/GHSA-gm62-xv2j-4w53
- https://curl.se/docs/CVE-2022-32206.html
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-22036
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Low severity GitHub Reviewed Published Jan 14, 2026 in nodejs/undici • Updated Jan 14, 2026
Affected versions
>= 7.0.0, < 7.18.2
< 6.23.0
Patched versions
7.18.2
6.23.0
Description
Published to the GitHub Advisory Database
Jan 14, 2026
Last updated
Jan 14, 2026
EPSS score