Description
Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.5.0 >= 6.0.0, < 6.21.2 < 5.29.0** Patched version(s): **7.5.0 6.21.2 5.29.0**
References
Related Issues
- Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260
- fetch(url) leads to a memory leak in undici - CVE-2024-24750
- Undici vulnerable to data leak when using response.arrayBuffer() - CVE-2024-38372
- Undici proxy-authorization header not cleared on cross-origin redirect in fetch - CVE-2024-24758
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on May 16, 2025