GHSA-g9mf-h72j-4rw9
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Details
### Impact
The `fetch()` API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.
However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.
### Patches
Upgrade to 7.18.2 or 6.23.0.
### Workarounds
It is possible to apply an undici interceptor and filter long `Content-Encoding` sequences manually.
### References
* https://hackerone.com/reports/3456148 * https://github.com/advisories/GHSA-gm62-xv2j-4w53 * https://curl.se/docs/CVE-2022-32206.html
Are you affected?
Enter the version of the package you're using.