Undici HTTP Client Library Exposes Critical Decompression Vulnerability (CVE-2026-22036)

A critical security flaw has been identified in the widely-used `undici` HTTP client library for Node.js, forcing a mandatory major version upgrade. The vulnerability, tracked as CVE-2026-22036, resides in the library's handling of chained HTTP content encoding algorithms, such as `gzip` and `br`. The decompress interceptor fails to properly limit the number of chained encodings, creating a potential vector for denial-of-service (DoS) attacks. This flaw directly impacts the `fetch()` API's compliance with RFC 9110, exposing any application using a vulnerable version of `undici` to resource exhaustion.

The issue is present in versions prior to the newly released v7.24.0. The automated dependency management tool Renovate has flagged the update from v6.23.0 as a high-priority security fix. The update is not a minor patch but a major version jump, indicating significant underlying changes required to remediate the vulnerability. This forces development teams to assess compatibility risks immediately, as the fix is not backward-compatible.

The widespread adoption of `undici` as a core, low-level HTTP client means this vulnerability has a broad attack surface across the Node.js ecosystem. Projects relying on automated dependency updates are now under pressure to review and merge this security patch. Failure to upgrade leaves applications susceptible to being overwhelmed by maliciously crafted responses that exploit the unlimited chained decompression, potentially crashing servers or consuming excessive memory and CPU resources.