CVE-2025-47279 – Undici HTTP client for Node.js versions before ... (How to Fix)

📋 TL;DR

Undici HTTP client for Node.js versions before 5.29.0, 6.21.2, and 7.5.0 have a memory leak vulnerability when repeatedly calling webhooks to servers with invalid certificates. This affects applications using undici to implement webhook systems that retry failed connections. Attackers can cause memory exhaustion by forcing repeated calls to malicious servers.

💻 Affected Systems

Products:

undici

Versions: All versions before 5.29.0, 6.21.2, and 7.5.0

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications implementing webhook-like systems with retry logic on connection failures

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory exhaustion leading to application crashes, denial of service, and potential system instability

🟠

Likely Case

Gradual memory consumption affecting application performance, potentially requiring restarts

🟢

If Mitigated

Minimal impact with proper retry logic and certificate validation

🌐 Internet-Facing: MEDIUM - Requires attacker to control webhook endpoint and force repeated calls

🏢 Internal Only: LOW - Internal systems typically have controlled endpoints and certificates

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to control webhook endpoint with invalid certificate and force repeated calls

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.29.0, 6.21.2, or 7.5.0

Vendor Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3

Restart Required: Yes

Instructions:

1. Check current undici version: npm list undici
2. Update to patched version: npm update undici@latest
3. Restart Node.js application
4. Verify update: npm list undici

🔧 Temporary Workarounds

Implement retry logic with circuit breaker

all

Avoid repeated calls to failing webhooks by implementing exponential backoff and circuit breaker patterns

Validate webhook endpoints

all

Implement certificate validation and endpoint verification before adding to webhook system

🧯 If You Can't Patch

Implement strict retry limits for failed webhook calls
Monitor memory usage and restart application if abnormal consumption detected

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list undici | grep undici

Check Version:

npm list undici | grep undici

Verify Fix Applied:

Confirm version is 5.29.0+, 6.21.2+, or 7.5.0+ via: npm list undici

📡 Detection & Monitoring

Log Indicators:

Repeated connection errors to same endpoint
Increasing memory usage over time
Certificate validation failures

Network Indicators:

Multiple HTTPS requests to same endpoint with certificate errors
Unusual retry patterns to external endpoints

SIEM Query:

source="application.logs" AND ("certificate error" OR "connection failed") AND count by dest_ip > 10

📊 Metadata

CVE ID: CVE-2025-47279

CVSS v3 Score: 3.1 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-401

EPSS Score: 0.08% exploit probability (23.4th percentile)

Published: May 15, 2025

Last Updated: February 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47279, you might also want to check these: