Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-47279

Опубликовано: 15 мая 2025
Источник: debian

Описание

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
node-undiciunfixedpackage
node-undicino-dsabookwormpackage

Примечания

  • https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3

  • https://github.com/nodejs/undici/issues/3895

  • https://github.com/nodejs/undici/pull/4088

  • Fixed by: https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25 (v7.5.0)

Связанные уязвимости

ubuntu логотип

CVE-2025-47279

CVSS3: 3.1
ubuntu
около 1 месяца назад

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

redhat логотип

CVE-2025-47279

CVSS3: 3.1
redhat
около 1 месяца назад

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

nvd логотип

CVE-2025-47279

CVSS3: 3.1
nvd
около 1 месяца назад

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

github логотип

GHSA-cxrh-j4jr-qwg3

CVSS3: 3.1
github
около 1 месяца назад

undici Denial of Service attack via bad certificate data