CVE-2025-47279 Overview
CVE-2025-47279 is a memory leak vulnerability in Undici, the popular HTTP/1.1 client for Node.js. Applications that implement webhook-like systems using Undici are vulnerable when an attacker sets up a server with an invalid certificate and forces the application to repeatedly call the webhook. This repeated invocation pattern can cause progressive memory exhaustion, potentially leading to denial of service conditions in affected applications.
Critical Impact
Applications using Undici for webhook implementations may experience memory exhaustion when repeatedly connecting to servers with invalid TLS certificates, potentially causing application instability or crashes.
Affected Products
- Undici versions prior to 5.29.0
- Undici versions prior to 6.21.2
- Undici versions prior to 7.5.0
Discovery Timeline
- 2025-05-15 - CVE CVE-2025-47279 published to NVD
- 2025-05-16 - Last updated in NVD database
Technical Details for CVE-2025-47279
Vulnerability Analysis
This vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime), indicating a memory leak condition. The flaw exists in how Undici handles connections to servers presenting invalid TLS certificates. When webhook retry logic repeatedly attempts to connect to a malicious server configured with an invalid certificate, memory is allocated but not properly released after the connection failure. Over time, this causes memory consumption to grow unbounded.
The attack requires network access and some level of authenticated access to trigger the webhook system. The complexity of exploitation is high as attackers must control both a server with an invalid certificate and have the ability to trigger repeated webhook calls. The impact is limited to availability, as the memory leak does not expose sensitive data or allow code execution.
Root Cause
The root cause stems from improper memory management in Undici's TLS certificate validation error handling path. When a connection attempt fails due to an invalid certificate, certain memory allocations associated with the failed TLS handshake are not properly freed. This manifests as CWE-401, where memory resources are not released after they are no longer needed, creating a gradual resource exhaustion condition.
Attack Vector
The attack vector requires network access to exploit. An attacker must:
- Set up a malicious server with an intentionally invalid TLS certificate
- Gain the ability to trigger webhook calls from the target application to their malicious server
- Repeatedly trigger webhook invocations, causing the target application to accumulate leaked memory with each failed TLS handshake
The exploitation scenario is limited by the requirement for both network positioning and the ability to influence webhook targets in the victim application. This reduces the practical exploitability in many deployment scenarios.
Detection Methods for CVE-2025-47279
Indicators of Compromise
- Gradual increase in Node.js process memory consumption over time without corresponding workload increase
- Repeated TLS certificate validation errors in application logs pointing to the same external endpoint
- Webhook retry failures accumulating against servers with invalid or self-signed certificates
Detection Strategies
- Monitor Node.js heap memory metrics for unexpected growth patterns in applications using Undici
- Alert on repeated TLS handshake failures to external webhook endpoints
- Implement application-level memory profiling to detect leak patterns associated with HTTP client operations
Monitoring Recommendations
- Configure memory threshold alerts for Node.js processes running webhook-based services
- Log and track unique TLS certificate errors with rate limiting detection
- Implement webhook destination validation to identify potentially malicious endpoints before repeated retry attempts
How to Mitigate CVE-2025-47279
Immediate Actions Required
- Upgrade Undici to version 5.29.0, 6.21.2, or 7.5.0 depending on your major version branch
- Review webhook implementations for proper error handling and retry limits
- Implement circuit breaker patterns to prevent unbounded retry attempts to failing endpoints
Patch Information
The vulnerability has been patched in Undici versions 5.29.0, 6.21.2, and 7.5.0. The fix addresses the memory leak by properly releasing memory resources when TLS certificate validation fails. For technical details on the patch implementation, see the GitHub Pull Request and the GitHub Security Advisory.
Workarounds
- Implement retry limits on webhook calls to prevent unbounded memory accumulation from repeated failures
- Add circuit breaker logic to stop calling webhooks that repeatedly fail with certificate errors
- Validate webhook destinations before allowing them to be registered in the application
- Consider implementing webhook destination allowlists to prevent connections to untrusted servers
# Update Undici to patched version
npm update undici@latest
# Or install specific patched versions based on your major version
npm install undici@5.29.0 # For 5.x branch
npm install undici@6.21.2 # For 6.x branch
npm install undici@7.5.0 # For 7.x branch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
