CVE-2026-22036

ADVISORY - github

Summary

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

https://hackerone.com/reports/3456148
https://github.com/advisories/GHSA-gm62-xv2j-4w53
https://curl.se/docs/CVE-2022-32206.html

EPSS Score⁠: 0.00018 (0.039)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.