2366632 – (CVE-2025-47279) CVE-2025-47279 undici: Undici Memory Leak with Invalid Certificates

Bug 2366632 (CVE-2025-47279) - CVE-2025-47279 undici: Undici Memory Leak with Invalid Certificates

Summary: CVE-2025-47279 undici: Undici Memory Leak with Invalid Certificates

Keywords:
Status:	NEW
Alias:	CVE-2025-47279
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2366736 2366737 2366739 2366740 2366738
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-15 18:01 UTC by OSIDB Bzimport
Modified:	2025-06-01 08:27 UTC (History)
CC List:	61 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-15 18:01:24 UTC

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
adkhan
anpicker
asoldano
bbaranow
bmaxwell
brian.stansberry
cdaley
cdewolf
cmah
darran.lofthouse
dhanak
dkreling
dosoudil
dsimansk
eaguilar
ebaron
fjuma
gryan
gzaronik
hasun
istudens
ivassile
iweiss
jchui
jfula
jhe
jhuff
jkoehler
jolong
jowilson
kingland
ktsao
kverlaen
lgao
lphiri
manissin
matzew
mnovotny
mosmerov
msochure
msvehla
nboldt
nwallace
nyancey
ometelka
pesilva
pjindal
pmackay
psrna
ptisnovs
rstancel
sausingh
sdawley
sfroberg
skontopo
smaestri
syedriko
tom.jenkinson
xdharmai