Description
Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.5.0 >= 6.0.0, < 6.21.2 < 5.29.0** Patched version(s): **7.5.0 6.21.2 5.29.0**
References
Related Issues
- Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
- angular vulnerable to regular expression denial of service via the $resource service - CVE-2023-26117
- angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118
- steal vulnerable to Regular Expression Denial of Service via input variable - CVE-2022-37260
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on February 06, 2026