CVE-2025-47279
Memory Leak vulnerability in undici (npm)
What is CVE-2025-47279 About?
This Memory Leak vulnerability in `undici` affects applications implementing webhook-like systems, potentially causing a server to experience a memory leak. If an attacker can force repeated calls to a webhook with an invalid certificate, it can impact resource availability and stability. Exploitation requires persistent interaction with the vulnerable system and control over a server with an invalid certificate.
Affected Software
- undici
- <5.29.0
- >7.0.0, <7.5.0
- >6.0.0, <6.21.2
Technical Details
The memory leak vulnerability in undici (patched in https://github.com/nodejs/undici/pull/4088) affects applications that use undici for webhook-like systems. The issue occurs when undici attempts to communicate with a server (an attacker-controlled webhook endpoint) that presents an invalid SSL/TLS certificate. When the webhook call fails due to invalid certificate validation, undici or its underlying components do not properly release all allocated memory associated with that failed connection attempt. If an attacker can repeatedly force the vulnerable application to call such a webhook, each failed attempt contributes to the memory buildup. Over time, this cumulative memory consumption leads to a significant memory leak, exhausting available system resources and causing the application to become unstable or crash, resulting in a denial-of-service condition.
What is the Impact of CVE-2025-47279?
Successful exploitation may allow attackers to cause a memory leak, leading to resource exhaustion, application instability, or denial of service, impacting system availability.
What is the Exploitability of CVE-2025-47279?
Exploitation complexity is moderate. Prerequisites include an application utilizing undici for webhook-like functionality and the attacker's ability to host a server that presents an invalid certificate. Authentication requirements depend on whether the webhook functionality is accessible to unauthenticated users; if so, remote unauthenticated exploitation is possible. Privilege requirements are low, as the attack focuses on resource consumption. This is primarily a remote vulnerability. Special conditions include the need for the application to repeatedly attempt to call the webhook after a failure, and the attacker controlling a server with an intentionally invalid certificate. The risk factor increases if the application has an aggressive retry mechanism for failed webhooks without proper error handling that releases resources, or if it communicates with untrusted external webhook endpoints.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-47279?
Available Upgrade Options
- undici
- <5.29.0 → Upgrade to 5.29.0
- undici
- >6.0.0, <6.21.2 → Upgrade to 6.21.2
- undici
- >7.0.0, <7.5.0 → Upgrade to 7.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-47279
- https://github.com/nodejs/undici/issues/3895
- https://github.com/nodejs/undici/issues/3895
- https://github.com/nodejs/undici
- https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
- https://github.com/nodejs/undici/pull/4088
- https://osv.dev/vulnerability/GHSA-cxrh-j4jr-qwg3
- https://github.com/nodejs/undici/pull/4088
- https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
What are Similar Vulnerabilities to CVE-2025-47279?
Similar Vulnerabilities: CVE-2023-44673 , CVE-2022-42289 , CVE-2022-45047 , CVE-2021-44757 , CVE-2020-13936
