CVE-2025-47279: undici Denial of Service attack via bad certificate data

May 15, 2025 (updated May 16, 2025)

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

References

github.com/advisories/GHSA-cxrh-j4jr-qwg3
github.com/nodejs/undici
github.com/nodejs/undici/issues/3895
github.com/nodejs/undici/pull/4088
github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
nvd.nist.gov/vuln/detail/CVE-2025-47279

Code Behaviors & Features

Detect and mitigate CVE-2025-47279 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →