VDB

DEBIAN-CVE-2025-47279

DEBIAN-CVE-2025-47279 PUBLISHED CVSS 3.0999999046325684 LOW

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Risk Scores

CVSS 3.1
3.0999999046325684
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Affected Products

VendorProductVersions
Debian:14node-undici0, 7.15.0+dfsg+~cs3.2.0-3, 7.16.0+dfsg+~cs3.2.0-1
Debian:12node-undici*, 5.28.2+dfsg1, 5.28.2+dfsg1
Debian:13node-undici7.15.0+dfsg+~cs3.2.0-3, 7.16.0+dfsg+~cs3.2.0-2, 7.18.2+dfsg+~cs3.2.0-1

Timeline

  • May 15, 2025 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›