{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-47279", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-05T16:53:10.373Z", "datePublished": "2025-05-15T17:16:02.738Z", "dateUpdated": "2026-02-06T19:14:56.281Z"}, "containers": {"cna": {"title": "undici Denial of Service attack via bad certificate data", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3"}, {"name": "https://github.com/nodejs/undici/issues/3895", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/issues/3895"}, {"name": "https://github.com/nodejs/undici/pull/4088", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/pull/4088"}, {"name": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25"}], "affected": [{"vendor": "nodejs", "product": "undici", "versions": [{"version": "< 5.29.0", "status": "affected"}, {"version": ">= 6.0.0, < 6.21.2", "status": "affected"}, {"version": ">= 7.0.0, < 7.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T19:14:56.281Z"}, "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails."}], "source": {"advisory": "GHSA-cxrh-j4jr-qwg3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-15T17:51:54.156281Z", "id": "CVE-2025-47279", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-16T13:44:28.438Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47279", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-15T17:51:54.156281Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T17:56:23.757Z"}}], "cna": {"title": "undici Denial of Service attack via bad certificate data", "source": {"advisory": "GHSA-cxrh-j4jr-qwg3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nodejs", "product": "undici", "versions": [{"status": "affected", "version": "< 5.29.0"}, {"status": "affected", "version": ">= 6.0.0, < 6.21.2"}, {"status": "affected", "version": ">= 7.0.0, < 7.5.0"}]}], "references": [{"url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3", "name": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nodejs/undici/issues/3895", "name": "https://github.com/nodejs/undici/issues/3895", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nodejs/undici/pull/4088", "name": "https://github.com/nodejs/undici/pull/4088", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25", "name": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401: Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T19:14:56.281Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47279", "state": "PUBLISHED", "dateUpdated": "2026-02-06T19:14:56.281Z", "dateReserved": "2025-05-05T16:53:10.373Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-15T17:16:02.738Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails."}, {"lang": "es", "value": "Undici es un cliente HTTP/1.1 para Node.js. En versiones anteriores a la 5.29.0, 6.21.2 y 7.5.0, las aplicaciones que usan undici para implementar un sistema similar a un webhook son vulnerables. Si el atacante configura un servidor con un certificado no v\u00e1lido y logra forzar la aplicaci\u00f3n a llamar al webhook repetidamente, puede causar una fuga de memoria. Esto se ha corregido en las versiones 5.29.0, 6.21.2 y 7.5.0. Como soluci\u00f3n alternativa, evite llamar a un webhook repetidamente si este falla."}], "id": "CVE-2025-47279", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-15T18:15:38.027", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25"}, {"source": "security-advisories@github.com", "url": "https://github.com/nodejs/undici/issues/3895"}, {"source": "security-advisories@github.com", "url": "https://github.com/nodejs/undici/pull/4088"}, {"source": "security-advisories@github.com", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "undici: Undici Memory Leak with Invalid Certificates", "id": "2366632", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366632"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-401", "details": ["Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.", "A memory leak vulnerability has been discovered in the Undici HTTP/1.1 client library. This flaw can be triggered by repeatedly calling a webhook endpoint that presents an invalid TLS certificate. Continuous interaction with such an endpoint can cause the Undici library to allocate memory without properly releasing it, potentially leading to excessive memory consumption. Over time, this could result in resource exhaustion, impacting the availability and stability of applications relying on Undici for webhook communication."], "name": "CVE-2025-47279", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Fix deferred", "package_name": "io.cryostat-cryostat", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed-tech-preview/lightspeed-console-plugin-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-data-science-pipelines-argo-argoexec-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-rhel8-operator", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/odf-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/odf-multicluster-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/dashboard-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2025-05-15T17:16:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-47279\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-47279\nhttps://github.com/nodejs/undici/issues/3895\nhttps://github.com/nodejs/undici/pull/4088\nhttps://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3"], "threat_severity": "Low"}

{"created": "2025-06-23T19:31:58.392633+00:00", "updated": "2025-06-23T19:31:58.392710+00:00", "vendors": ["nodejs", "nodejs$PRODUCT$undici"]}