VDB
DEBIAN-CVE-2025-47279
DEBIAN-CVE-2025-47279
PUBLISHED
CVSS 3.0999999046325684 LOW
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
Risk Scores
CVSS 3.1
3.0999999046325684
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | node-undici | 0, 7.15.0+dfsg+~cs3.2.0-3, 7.16.0+dfsg+~cs3.2.0-1 |
| Debian:12 | node-undici | *, 5.28.2+dfsg1, 5.28.2+dfsg1 |
| Debian:13 | node-undici | 7.15.0+dfsg+~cs3.2.0-3, 7.16.0+dfsg+~cs3.2.0-2, 7.18.2+dfsg+~cs3.2.0-1 |
Timeline
- May 15, 2025 CVE Published
- Apr 28, 2026 CVE Updated