VYPR
Low severity3.1OSV Advisory· Published May 15, 2025· Updated Apr 15, 2026

CVE-2025-47279

CVE-2025-47279

Description

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
undicinpm
< 5.29.05.29.0
undicinpm
>= 6.0.0, < 6.21.26.21.2
undicinpm
>= 7.0.0, < 7.5.07.5.0

Affected products

6

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.