Description
Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.5.0 >= 6.0.0, < 6.21.2 < 5.29.0** Patched version(s): **7.5.0 6.21.2 5.29.0**
References
Related Issues
- Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
- Regular Expression Denial of Service in Headers - CVE-2023-24807
- SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering (GHSA-j62c-4x62-9r35) - CVE-2025-67647
- angular vulnerable to regular expression denial of service via the angular.copy() utility - CVE-2023-26116
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on May 16, 2025