fix: limit Content-Encoding chain to 5 to prevent resource exhaustion

mcollina · mcollina · commit d3aafea7a2b3 · 2026-01-05T16:57:24.000+01:00
A malicious server could send responses with thousands of Content-Encoding layers, causing high CPU usage and memory allocation when decompressing. This fix limits the number of content-encodings to 5, matching the approach used by urllib3 (GHSA-gm62-xv2j-4w53) and curl (CVE-2022-32206). Fixes CWE-770: Allocation of Resources Without Limits or Throttling Signed-off-by: Matteo Collina <hello@matteocollina.com>
diff --git a/README.md b/README.md
@@ -329,7 +329,13 @@ const headers = await fetch(url, { method: 'HEAD' })
 
 The [Fetch Standard](https://fetch.spec.whatwg.org) requires implementations to exclude certain headers from requests and responses. In browser environments, some headers are forbidden so the user agent remains in full control over them. In Undici, these constraints are removed to give more control to the user.
 
-### `undici.upgrade([url, options]): Promise`
+#### Content-Encoding
+
+* https://www.rfc-editor.org/rfc/rfc9110#field.content-encoding
+
+Undici limits the number of `Content-Encoding` layers in a response to **5** to prevent resource exhaustion attacks. If a server responds with more than 5 content-encodings (e.g., `Content-Encoding: gzip, gzip, gzip, gzip, gzip, gzip`), the fetch will be rejected with an error. This limit matches the approach taken by [curl](https://curl.se/docs/CVE-2022-32206.html) and [urllib3](https://github.com/advisories/GHSA-gm62-xv2j-4rw9).
+
+#### `undici.upgrade([url, options]): Promise`
 
 Upgrade to a different protocol. See [MDN - HTTP - Protocol upgrade mechanism](https://developer.mozilla.org/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism) for more details.
 
diff --git a/lib/web/fetch/index.js b/lib/web/fetch/index.js
@@ -2111,21 +2111,13 @@ async function httpNetworkFetch (
             return
           }
 
-          /** @type {string[]} */
-          let codings = []
           let location = ''
 
           const headersList = new HeadersList()
 
           for (let i = 0; i < rawHeaders.length; i += 2) {
             headersList.append(bufferToLowerCasedHeaderName(rawHeaders[i]), rawHeaders[i + 1].toString('latin1'), true)
           }
-          const contentEncoding = headersList.get('content-encoding', true)
-          if (contentEncoding) {
-            // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1
-            // "All content-coding values are case-insensitive..."
-            codings = contentEncoding.toLowerCase().split(',').map((x) => x.trim())
-          }
           location = headersList.get('location', true)
 
           this.body = new Readable({ read: resume })
@@ -2136,9 +2128,23 @@ async function httpNetworkFetch (
             redirectStatusSet.has(status)
 
           // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
-          if (codings.length !== 0 && request.method !== 'HEAD' && request.method !== 'CONNECT' && !nullBodyStatus.includes(status) && !willFollow) {
+          if (request.method !== 'HEAD' && request.method !== 'CONNECT' && !nullBodyStatus.includes(status) && !willFollow) {
+            // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1
+            const contentEncoding = headersList.get('content-encoding', true)
+            // "All content-coding values are case-insensitive..."
+            /** @type {string[]} */
+            const codings = contentEncoding ? contentEncoding.toLowerCase().split(',') : []
+
+            // Limit the number of content-encodings to prevent resource exhaustion.
+            // CVE fix similar to urllib3 (GHSA-gm62-xv2j-4w53) and curl (CVE-2022-32206).
+            const maxContentEncodings = 5
+            if (codings.length > maxContentEncodings) {
+              reject(new Error(`too many content-encodings in response: ${codings.length}, maximum allowed is ${maxContentEncodings}`))
+              return true
+            }
+
             for (let i = codings.length - 1; i >= 0; --i) {
-              const coding = codings[i]
+              const coding = codings[i].trim()
               // https://www.rfc-editor.org/rfc/rfc9112.html#section-7.2
               if (coding === 'x-gzip' || coding === 'gzip') {
                 decoders.push(zlib.createGunzip({
diff --git a/test/fetch/encoding.js b/test/fetch/encoding.js
@@ -1,6 +1,6 @@
 'use strict'
 
-const { test } = require('node:test')
+const { test, describe, before, after } = require('node:test')
 const assert = require('node:assert')
 const { createServer } = require('node:http')
 const { once } = require('node:events')
@@ -58,3 +58,67 @@ test('response decompression according to content-encoding should be handled in
 
   assert.strictEqual(await response.text(), text)
 })
+
+describe('content-encoding chain limit', () => {
+  // CVE fix: Limit the number of content-encodings to prevent resource exhaustion
+  // Similar to urllib3 (GHSA-gm62-xv2j-4w53) and curl (CVE-2022-32206)
+  const MAX_CONTENT_ENCODINGS = 5
+
+  let server
+  before(async () => {
+    server = createServer({
+      noDelay: true
+    }, (req, res) => {
+      const encodingCount = parseInt(req.headers['x-encoding-count'] || '1', 10)
+      const encodings = Array(encodingCount).fill('identity').join(', ')
+
+      res.writeHead(200, {
+        'Content-Encoding': encodings,
+        'Content-Type': 'text/plain'
+      })
+      res.end('test')
+    })
+    await once(server.listen(0), 'listening')
+  })
+
+  after(() => {
+    server.close()
+  })
+
+  test(`should allow exactly ${MAX_CONTENT_ENCODINGS} content-encodings`, async (t) => {
+    const response = await fetch(`http://localhost:${server.address().port}`, {
+      keepalive: false,
+      headers: { 'x-encoding-count': String(MAX_CONTENT_ENCODINGS) }
+    })
+
+    assert.strictEqual(response.status, 200)
+    // identity encoding is a no-op, so the body should be passed through
+    assert.strictEqual(await response.text(), 'test')
+  })
+
+  test(`should reject more than ${MAX_CONTENT_ENCODINGS} content-encodings`, async (t) => {
+    await assert.rejects(
+      fetch(`http://localhost:${server.address().port}`, {
+        keepalive: false,
+        headers: { 'x-encoding-count': String(MAX_CONTENT_ENCODINGS + 1) }
+      }),
+      (err) => {
+        assert.ok(err.cause?.message.includes('content-encoding'))
+        return true
+      }
+    )
+  })
+
+  test('should reject excessive content-encoding chains', async (t) => {
+    await assert.rejects(
+      fetch(`http://localhost:${server.address().port}`, {
+        keepalive: false,
+        headers: { 'x-encoding-count': '100' }
+      }),
+      (err) => {
+        assert.ok(err.cause?.message.includes('content-encoding'))
+        return true
+      }
+    )
+  })
+})
