OCPBUGS-91728: Fix CVE-2026-12151 undici DoS via unbounded memory growth in WebSocket frames#16709
OCPBUGS-91728: Fix CVE-2026-12151 undici DoS via unbounded memory growth in WebSocket frames#16709jrangelramos wants to merge 1 commit into
Conversation
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-91728, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jrangelramos The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
WalkthroughThis change adds a Yarn ChangesDependency Resolution Update
Estimated code review effort: 1 (Trivial) | ~2 minutes Related PRs: None specified. Suggested labels: dependencies Suggested reviewers: None specified. 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-91728, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@frontend/package.json`:
- Around line 339-340: The undici package constraint in the package manifest
still permits a vulnerable release range; update the existing undici version
specifier to raise the minimum supported version from 6.26.0 to 6.27.0 while
keeping the same upper bound. Locate the dependency entry for undici in the
package manifest and adjust the version range so installs cannot resolve to
6.26.0 or any earlier affected version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 7176db29-d2e1-427f-9384-05a20699dac2
⛔ Files ignored due to path filters (1)
frontend/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
frontend/package.json
…wth in WebSocket frames Add scoped yarn resolution to bump undici from 6.21.2 to >=6.26.0 <7.0.0 for the 6.x consumer (cheerio). The undici WebSocket client prior to 6.26.0 is vulnerable to a denial of service where a malicious server streams many small continuation frames causing unbounded memory growth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3174a3f to
52aae45
Compare
|
@jrangelramos: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Analysis / Root cause
undici(HTTP/1.1, HTTP/2, and WebSocket client for Node.js) versions >= 6.17.0 and < 6.26.0 are vulnerable to a denial of service attack (CVE-2026-12151). The undici WebSocket client enforcesmaxPayloadSizeon cumulative byte count but not on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that pass validation, causing unbounded memory growth and eventual memory exhaustion.The package is a transitive dependency in the console frontend at version 6.21.2, pulled in by
cheerio.Solution description
Add a scoped yarn resolution for
undici@^6.19.5to>=6.27.0 <7.0.0infrontend/package.json. This bumps the 6.x consumer to the patched version (6.27.0) while staying within the same major version to avoid breaking changes. The 5.x consumer (openapi-typescript) is not affected by this CVE.Screenshots / screen recording
N/A — dependency version bump only, no visual changes.
Test setup
No special setup required.
Test cases
yarn installcompletes without errorswebpack --mode=development) succeeds (986 assets, 20219 modules)undici@5.xconsumer is not affected by the resolutionBrowser conformance
N/A — no runtime behavior changes beyond the security fix.
Additional info
Summary by CodeRabbit