{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T12:33:18.741","vulnerabilities":[{"cve":{"id":"CVE-2026-1528","sourceIdentifier":"ce714d77-add3-4f53-aff5-83d477b104bb","published":"2026-03-12T21:16:25.330","lastModified":"2026-03-20T15:41:40.110","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.\n\nPatches\n\nPatched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later."},{"lang":"es","value":"Impacto\nUn servidor puede responder con un marco WebSocket utilizando el formato de longitud de 64 bits y una longitud extremadamente grande. El ByteParser de undici desborda las operaciones matemáticas internas, termina en un estado inválido y lanza un TypeError fatal que termina el proceso.\n\nParches\n\nParcheado en la versión v7.24.0 y v6.24.0 de undici. Los usuarios deben actualizar a esta versión o posterior."}],"metrics":{"cvssMetricV31":[{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","description":[{"lang":"en","value":"CWE-248"},{"lang":"en","value":"CWE-1284"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*","versionEndExcluding":"6.24.0","matchCriteriaId":"C08CE582-019D-4A06-910A-6010C2D6EF4F"},{"vulnerable":true,"criteria":"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.24.0","matchCriteriaId":"F016E7D9-C45A-4DEF-9AD8-F0581AF5E509"}]}]}],"references":[{"url":"https://cna.openjsf.org/security-advisories.html","source":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":["Vendor Advisory"]},{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj","source":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":["Vendor Advisory"]},{"url":"https://hackerone.com/reports/3537648","source":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":["Permissions Required"]}]}}]}