CVE-2025-47279

CWE-401Memory Leak8 documents7 sources
Severity
3.1LOW
EPSS
0.0%
top 85.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Undici
Timeline
PublishedMay 15

Description

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 1.6 | Impact: 1.4

Affected Packages3 packages

CVEListV5nodejs/undici< 5.29.0+2
Debiannode-undici< 7.24.5+dfsg+~cs3.2.0-1
npmundici6.0.06.21.2+2

🔴Vulnerability Details

4
CVEList
undici Denial of Service attack via bad certificate data2025-05-15
OSV
CVE-2025-47279: Undici is an HTTP/12025-05-15
OSV
undici Denial of Service attack via bad certificate data2025-05-15
GHSA
undici Denial of Service attack via bad certificate data2025-05-15

📋Vendor Advisories

3
Red Hat
undici: Undici Memory Leak with Invalid Certificates2025-05-15
Microsoft
undici Denial of Service attack via bad certificate data2025-05-13
Debian
CVE-2025-47279: node-undici - Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and ...2025
CVE-2025-47279 (LOW CVSS 3.1) | Undici is an HTTP/1.1 client for No | cvebase.io