#VU109244 Memory leak in undici - CVE-2025-47279

Cybersecurity Help s.r.o.

Published: 2025-05-16

Vulnerability identifier: #VU109244

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-47279

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
undici
Server applications / File servers (FTP/HTTP)

Vendor: Node.js

Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due memory leak when handling invalid certificates. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

undici: 5.0.0 - 7.4.0

External links
https://github.com/nodejs/undici/issues/3895
https://github.com/nodejs/undici/pull/4088
https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM App Connect Enterprise Certified Container update for Undici

Remote denial of service in Undici