Low severity3.1OSV Advisory· Published May 15, 2025· Updated Apr 15, 2026
CVE-2025-47279
CVE-2025-47279
Description
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 5.29.0 | 5.29.0 |
undicinpm | >= 6.0.0, < 6.21.2 | 6.21.2 |
undicinpm | >= 7.0.0, < 7.5.0 | 7.5.0 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/code-server-compatpkg:apk/wolfi/code-serverpkg:apk/wolfi/code-server-compatpkg:npm/undici
< 4.100.2-r1+ 4 more
- (no CPE)range: < 4.100.2-r1
- (no CPE)range: < 4.100.2-r1
- (no CPE)range: < 4.100.2-r1
- (no CPE)range: < 4.100.2-r1
- (no CPE)range: < 5.29.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-cxrh-j4jr-qwg3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47279ghsaADVISORY
- github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25nvdWEB
- github.com/nodejs/undici/issues/3895nvdWEB
- github.com/nodejs/undici/pull/4088nvdWEB
- github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3nvdWEB
News mentions
0No linked articles in our index yet.