CVE-2025-47279: undici Denial of Service attack via bad certificate data
(updated )
Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.
References
- github.com/advisories/GHSA-cxrh-j4jr-qwg3
- github.com/nodejs/undici
- github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25
- github.com/nodejs/undici/issues/3895
- github.com/nodejs/undici/pull/4088
- github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
- nvd.nist.gov/vuln/detail/CVE-2025-47279
Code Behaviors & Features
Detect and mitigate CVE-2025-47279 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →