Description
Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.5.0 >= 6.0.0, < 6.21.2 < 5.29.0** Patched version(s): **7.5.0 6.21.2 5.29.0**
References
Related Issues
- Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
- Cube Core is vulnerable to Denial of Service (DoS) via crafted request - CVE-2026-25957
- jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
- Strapi core vulnerable to sensitive data exposure via CORS misconfiguration - CVE-2025-53092
You might also like:
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on February 06, 2026