Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS

Description

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).

In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers.

Recommendation

Update the undici package to the latest compatible version. Followings are version details:

• Affected version(s): >= 7.17.0, < 7.24.0
• Patched version(s): 7.24.0

References

• GHSA-phc3-fgpg-7m6h
• hackerone.com
• cna.openjsf.org
• CVE-2026-2581
• CWE-770
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
• Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - CVE-2026-1526
• LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) - CVE-2026-45357
• Undici has an HTTP Request/Response Smuggling issue - CVE-2026-1525

You might also like:

CSRF, XXE, and 12 Other Security Acronyms Explained

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

undici