LOW 3.1

GHSA-cxrh-j4jr-qwg3

undici Denial of Service attack via bad certificate data

Details

### Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

### Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

### Workarounds

If a webhook fails, avoid keep calling it repeatedly.

### References

Reported as: https://github.com/nodejs/undici/issues/3895

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / undici

Introduced in: 0 Fixed in: 5.29.0

Fix npm install undici@5.29.0

npm / undici

Introduced in: 6.0.0 Fixed in: 6.21.2

Fix npm install undici@6.21.2

npm / undici

Introduced in: 7.0.0 Fixed in: 7.5.0

Fix npm install undici@7.5.0

References

https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-47279 [ADVISORY]
https://github.com/nodejs/undici/issues/3895 [WEB]
https://github.com/nodejs/undici/pull/4088 [WEB]
https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25 [WEB]
https://github.com/nodejs/undici [PACKAGE]