We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-47279

undici Denial of Service attack via bad certificate data



Description

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Reserved 2025-05-05 | Published 2025-05-15 | Updated 2025-05-16 | Assigner GitHub_M


LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-401: Missing Release of Memory after Effective Lifetime

Product status

< 5.29.0
affected

>= 6.0.0, < 6.21.2
affected

>= 7.0.0, < 7.5.0
affected

References

github.com/...undici/security/advisories/GHSA-cxrh-j4jr-qwg3

github.com/nodejs/undici/issues/3895

github.com/nodejs/undici/pull/4088

cve.org (CVE-2025-47279)

nvd.nist.gov (CVE-2025-47279)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-47279

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.