undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS

Undici is an HTTP/1.1 client for Node.js [1]. In vulnerable versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests is fully buffered in memory before being forwarded to downstream handlers [2][4]. This uncontrolled resource consumption (CWE-400) occurs because the interceptor accumulates the entire response body for each unique request, even if subsequent identical requests are made concurrently [2].

An attacker who controls or can influence an upstream HTTP endpoint can trigger the vulnerability by sending large or chunked responses while inducing multiple concurrent identical requests from the target application [2][4]. The attack requires no authentication beyond normal network access to the vulnerable client, and the interceptor must be enabled for the affected route [4].

Successful exploitation leads to high memory usage and can result in process termination due to out-of-memory (OOM) conditions, effectively causing a denial of service (DoS) [2][4]. The impact is limited to applications that use Undici's deduplication interceptor against endpoints that may return large or long-lived response bodies [4].

The issue has been patched by modifying deduplication to stream response chunks as they arrive rather than accumulating the full body, and by preventing late deduplication once body streaming has started [2][4]. Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch [2]. As a workaround, users can disable the deduplication interceptor, skip deduplication for high-risk requests, or apply upstream response-size limits [4].