Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS

Severity:: Medium

Description

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).

In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers.

Recommendation

Update the undici package to the latest compatible version. Followings are version details:

Affected version(s): >= 7.17.0, < 7.24.0
Patched version(s): 7.24.0

References

GHSA-phc3-fgpg-7m6h
hackerone.com
cna.openjsf.org
CVE-2026-2581
CWE-770
CAPEC-310
OWASP 2021-A6

Related Issues

Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - CVE-2026-1526
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions - CVE-2026-27729

Tags:: npm; undici

Anything's wrong? Let us know Last updated on March 13, 2026