CVE-2025-47279

Published: May 15, 2025Modified: May 16, 2025

3.1

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Exploitability: 1.6 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Related CWEs

CWE-401

Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References (3)

https://github.com/nodejs/undici/issues/3895

Source: security-advisories@github.com

https://github.com/nodejs/undici/pull/4088

Source: security-advisories@github.com

https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3

Source: security-advisories@github.com

Timeline

No history available yet.