Bug 2366632 (CVE-2025-47279)

Summary: CVE-2025-47279 undici: Undici Memory Leak with Invalid Certificates
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aazores, abarbaro, adkhan, anpicker, asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, cmah, darran.lofthouse, dhanak, dkreling, dosoudil, dsimansk, eaguilar, ebaron, fjuma, gryan, gzaronik, hasun, istudens, ivassile, iweiss, jchui, jfula, jhe, jhuff, jkoehler, jolong, jowilson, kingland, ktsao, kverlaen, lgao, lphiri, manissin, matzew, mnovotny, mosmerov, msochure, msvehla, nboldt, nwallace, nyancey, ometelka, pesilva, pjindal, pmackay, psrna, ptisnovs, rstancel, sausingh, sdawley, sfroberg, skontopo, smaestri, syedriko, tom.jenkinson, xdharmai
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A memory leak vulnerability has been discovered in the Undici HTTP/1.1 client library. This flaw can be triggered by repeatedly calling a webhook endpoint that presents an invalid TLS certificate. Continuous interaction with such an endpoint can cause the Undici library to allocate memory without properly releasing it, potentially leading to excessive memory consumption. Over time, this could result in resource exhaustion, impacting the availability and stability of applications relying on Undici for webhook communication.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2366736, 2366737, 2366738, 2366739, 2366740    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-15 18:01:24 UTC 
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.