Cherry-pick 91678cbbce and 7a2db575e0 by lpinca · Pull Request #5422 · nodejs/undici

lpinca · 2026-06-13T13:57:37Z

Cherry-pick 91678cbbce and 7a2db575e0 from https://github.com/nodejs/undici-ghsa-vxpw-j846-p89q/pull/1.

These should be backported together with 32dbf0b.

Status

* Empty first fragment + non-empty continuation should deliver the message. * A flood of empty continuation frames must still trip maxFragments. * WebSocketStream must honor maxFragments the same as WebSocket.

…ptions * Drop body.length / data.length short-circuits on writeFragments. Per RFC 6455 §5.4, zero-byte fragments are conforming and the parser uses #fragments.length > 0 to track an in-progress fragmented message. * Propagate maxFragments and maxPayloadSize from the dispatcher to WebSocketStream's ByteParser, mirroring lib/web/websocket/websocket.js.

codecov-commenter · 2026-06-13T14:35:03Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.35%. Comparing base (6df53c5) to head (81bed8b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5422      +/-   ##
==========================================
- Coverage   93.35%   93.35%   -0.01%     
==========================================
  Files         110      110              
  Lines       36966    36993      +27     
==========================================
+ Hits        34511    34536      +25     
- Misses       2455     2457       +2

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

lpinca · 2026-06-13T15:20:55Z

@KhafraDev I guess the 👎 is because you do not think this is relevant for a client, and I might agree, but the problem is of the same type as the zip bomb, so I think both should be fixed or neither.

KhafraDev · 2026-06-13T15:29:57Z

I don't think zip bombs were a vulnerability either (anything regarding an "attacker server"). I'm not blocking it, I would have preferred if both were disabled by default though, going back to ljharb's original argument against adding fetch in node: "How can we add this when it doesn’t comply with the browser spec ... ?"

I've never been against people using ws instead of undici's WebSocket/the global WebSocket which provides the same mitigations with a lot more customization.

lpinca · 2026-06-13T15:34:54Z

anything regarding an "attacker server"

I understand, it does not make much sense.

mcollina

lgtm

UlisesGascon added 2 commits June 13, 2026 16:17

test(websocket): cover empty fragments and WebSocketStream maxFragments

ce02650

* Empty first fragment + non-empty continuation should deliver the message. * A flood of empty continuation frames must still trip maxFragments. * WebSocketStream must honor maxFragments the same as WebSocket.

lpinca force-pushed the cherry-pick/91678cbbce-and-7a2db575e0 branch from cf1fdcd to c1bc9fe Compare June 13, 2026 14:18

lpinca changed the title ~~Cherry pick 91678cbbce and 7a2db575e0~~ Cherry-pick 91678cbbce and 7a2db575e0 Jun 13, 2026

test(websocket): fix flaky tests

81bed8b

lpinca force-pushed the cherry-pick/91678cbbce-and-7a2db575e0 branch from bc966fa to 81bed8b Compare June 13, 2026 15:42

lpinca mentioned this pull request Jun 13, 2026

fix websocket empty fragments parsing #5424

Closed

KhafraDev approved these changes Jun 13, 2026

View reviewed changes

mcollina approved these changes Jun 13, 2026

View reviewed changes

mcollina merged commit 382a038 into nodejs:main Jun 13, 2026
36 of 39 checks passed

lpinca deleted the cherry-pick/91678cbbce-and-7a2db575e0 branch June 13, 2026 19:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cherry-pick 91678cbbce and 7a2db575e0#5422

Cherry-pick 91678cbbce and 7a2db575e0#5422
mcollina merged 3 commits into
nodejs:mainfrom
lpinca:cherry-pick/91678cbbce-and-7a2db575e0

lpinca commented Jun 13, 2026 •

edited

Loading

Uh oh!

codecov-commenter commented Jun 13, 2026 •

edited

Loading

Uh oh!

lpinca commented Jun 13, 2026

Uh oh!

KhafraDev commented Jun 13, 2026

Uh oh!

lpinca commented Jun 13, 2026

Uh oh!

mcollina left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Uh oh!

Conversation

lpinca commented Jun 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Status

Uh oh!

codecov-commenter commented Jun 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

lpinca commented Jun 13, 2026

Uh oh!

KhafraDev commented Jun 13, 2026

Uh oh!

lpinca commented Jun 13, 2026

Uh oh!

mcollina left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

lpinca commented Jun 13, 2026 •

edited

Loading

codecov-commenter commented Jun 13, 2026 •

edited

Loading