LOW 3.1

GHSA-cxrh-j4jr-qwg3

undici Denial of Service attack via bad certificate data

상세

### Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

### Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

### Workarounds

If a webhook fails, avoid keep calling it repeatedly.

### References

Reported as: https://github.com/nodejs/undici/issues/3895

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / undici

최초 영향 버전: 0 수정 버전: 5.29.0

수정 npm install undici@5.29.0

npm / undici

최초 영향 버전: 6.0.0 수정 버전: 6.21.2

수정 npm install undici@6.21.2

npm / undici

최초 영향 버전: 7.0.0 수정 버전: 7.5.0

수정 npm install undici@7.5.0

참고

https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-47279 [ADVISORY]
https://github.com/nodejs/undici/issues/3895 [WEB]
https://github.com/nodejs/undici/pull/4088 [WEB]
https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25 [WEB]
https://github.com/nodejs/undici [PACKAGE]