Description

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

INFO

Published Date :

2025-05-15T17:16:02.738Z

Last Modified :

2026-02-06T19:14:56.281Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-47279 vulnerability.

Vendors Products
Nodejs
  • Undici
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-47279.

URL Resource
https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25 cve-icon cve-icon
https://github.com/nodejs/undici/issues/3895 cve-icon cve-icon cve-icon
https://github.com/nodejs/undici/pull/4088 cve-icon cve-icon cve-icon
https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-47279 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-47279 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact