| Name | CVE-2025-47279 |
| Description | Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1105860 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-undici (PTS) | bookworm | 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 | vulnerable |
| bookworm (security) | 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 | vulnerable | |
| trixie | 7.3.0+dfsg1+~cs24.12.11-1 | vulnerable | |
| sid | 7.3.0+dfsg1+~cs24.12.11-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-undici | source | (unstable) | (unfixed) | 1105860 |
[bookworm] - node-undici <no-dsa> (Minor issue)
https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
https://github.com/nodejs/undici/issues/3895
https://github.com/nodejs/undici/pull/4088
Fixed by: https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25 (v7.5.0)