CVE-2025-47279

EUVD-2025-15389
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
nodejsundici
𝑥
< 5.29.0
CNA
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-undici
focal
dne
jammy
dne
noble
needs-triage
oracular
ignored
plucky
ignored
questing
ignored
resolute
needs-triage
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
nodejs20
Amazon Linux 2023
1:20.19.2-1.amzn2023.0.1
fixed
nodejs20-debuginfo
Amazon Linux 2023
1:20.19.2-1.amzn2023.0.1
fixed
nodejs20-debugsource
Amazon Linux 2023
1:20.19.2-1.amzn2023.0.1
fixed
nodejs20-devel
Amazon Linux 2023
1:20.19.2-1.amzn2023.0.1
fixed
nodejs20-docs
Amazon Linux 2023
1:20.19.2-1.amzn2023.0.1
fixed
nodejs20-full-i18n
Amazon Linux 2023
1:20.19.2-1.amzn2023.0.1
fixed
nodejs20-libs
Amazon Linux 2023
1:20.19.2-1.amzn2023.0.1
fixed
nodejs20-libs-debuginfo
Amazon Linux 2023
1:20.19.2-1.amzn2023.0.1
fixed
nodejs20-npm
Amazon Linux 2023
1:10.8.2-1.20.19.2.1.amzn2023.0.1
fixed
nodejs22
Amazon Linux 2023
1:22.16.0-1.amzn2023.0.1
fixed
nodejs22-debuginfo
Amazon Linux 2023
1:22.16.0-1.amzn2023.0.1
fixed
nodejs22-debugsource
Amazon Linux 2023
1:22.16.0-1.amzn2023.0.1
fixed
nodejs22-devel
Amazon Linux 2023
1:22.16.0-1.amzn2023.0.1
fixed
nodejs22-docs
Amazon Linux 2023
1:22.16.0-1.amzn2023.0.1
fixed
nodejs22-full-i18n
Amazon Linux 2023
1:22.16.0-1.amzn2023.0.1
fixed
nodejs22-libs
Amazon Linux 2023
1:22.16.0-1.amzn2023.0.1
fixed
nodejs22-libs-debuginfo
Amazon Linux 2023
1:22.16.0-1.amzn2023.0.1
fixed
nodejs22-npm
Amazon Linux 2023
1:10.9.2-1.22.16.0.1.amzn2023.0.1
fixed
v8-11.3-devel
Amazon Linux 2023
3:11.3.244.8-1.20.19.2.1.amzn2023.0.1
fixed
v8-12.4-devel
Amazon Linux 2023
3:12.4.254.21-1.22.16.0.1.amzn2023.0.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
nodejs
Azure Linux 3.0
0:20.14.0-8.azl3
fixed
nodejs18
CBL-Mariner 2.0
0:18.20.3-6.cm2
fixed