Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-2581

CVE-2026-2581: Undici Deduplication DoS Vulnerability

CVE-2026-2581 is a denial of service flaw in Undici's deduplication interceptor that allows attackers to cause memory exhaustion through large responses. This post covers technical details, affected versions, and patches.

Published:

CVE-2026-2581 Overview

CVE-2026-2581 is an uncontrolled resource consumption vulnerability (CWE-770) in Undici, a fast HTTP/1.1 client for Node.js, that can lead to Denial of Service (DoS) conditions. When the interceptors.deduplicate() feature is enabled, response data for deduplicated requests is accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this behavior by sending large or chunked responses while triggering concurrent identical requests, resulting in excessive memory consumption and potential Out-of-Memory (OOM) process termination.

Critical Impact

Applications using Undici's deduplication interceptor against untrusted endpoints may experience memory exhaustion and service disruption when processing large or long-lived response bodies.

Affected Products

  • Undici HTTP client (vulnerable versions with interceptors.deduplicate() functionality)
  • Node.js applications utilizing Undici's deduplication interceptor
  • Applications communicating with untrusted upstream endpoints using request deduplication

Discovery Timeline

  • 2026-03-12 - CVE CVE-2026-2581 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-2581

Vulnerability Analysis

This vulnerability affects the request deduplication interceptor in Undici. The deduplication feature is designed to prevent redundant outbound requests by consolidating identical concurrent requests and sharing the response data among them. However, the original implementation accumulated the entire response body in memory before distributing it to downstream handlers.

When an attacker controls or influences an upstream endpoint, they can exploit this memory accumulation behavior by returning exceptionally large responses or implementing chunked transfer encoding with long-lived connections. Combined with concurrent identical requests from the application, this causes the memory footprint to grow uncontrollably as response data buffers expand.

The vulnerability is particularly dangerous in scenarios where applications communicate with external or user-influenced endpoints while using the deduplication feature to optimize performance. The memory consumption scales with both response size and the number of deduplicated requests, creating conditions for rapid memory exhaustion.

Root Cause

The root cause lies in Undici's original deduplication implementation which performed full-body accumulation of response data before forwarding to downstream handlers. This design decision meant that large responses had to be fully buffered in memory, creating a resource consumption vulnerability when processing oversized or maliciously crafted responses.

Additionally, the implementation allowed late deduplication to occur even after body streaming had already started, compounding the memory accumulation issue across multiple concurrent request handlers.

Attack Vector

The attack vector is network-based, requiring an attacker to control or influence an upstream endpoint that the vulnerable application communicates with using Undici's deduplication interceptor. The attack can be executed by:

  1. Identifying applications that use interceptors.deduplicate() against external endpoints
  2. Causing the target application to make multiple concurrent identical requests to an attacker-controlled endpoint
  3. Responding with extremely large payloads or implementing slow chunked responses that keep connections open while accumulating data
  4. The response data accumulates in memory across all deduplicated request handlers, potentially exhausting available memory and causing OOM termination

The attack complexity is considered high as it requires specific conditions: the deduplication interceptor must be enabled, the target must make concurrent identical requests, and the attacker must have influence over the upstream response content.

Detection Methods for CVE-2026-2581

Indicators of Compromise

  • Abnormal memory growth in Node.js processes utilizing Undici HTTP client
  • Unusually large response bodies from upstream endpoints during concurrent request patterns
  • Process termination events caused by Out-of-Memory conditions
  • Increased response times correlating with memory pressure during deduplication operations

Detection Strategies

  • Monitor Node.js process memory metrics for gradual or sudden increases during HTTP client operations
  • Implement logging for Undici deduplication interceptor usage and response sizes
  • Configure heap memory thresholds and alerts for applications using request deduplication
  • Review application code for interceptors.deduplicate() usage against untrusted or external endpoints

Monitoring Recommendations

  • Set up memory usage alerting thresholds for Node.js application processes
  • Monitor upstream endpoint response sizes and duration for anomalous patterns
  • Implement circuit breakers to limit memory exposure from long-running HTTP operations
  • Enable garbage collection monitoring to detect memory pressure from buffered response data

How to Mitigate CVE-2026-2581

Immediate Actions Required

  • Upgrade Undici to the latest patched version that includes streaming deduplication behavior
  • Review application code for usage of interceptors.deduplicate() against untrusted endpoints
  • Consider temporarily disabling the deduplication interceptor if patches cannot be applied immediately
  • Implement response size limits at the application level for requests to external endpoints

Patch Information

The vulnerability has been patched by modifying the deduplication behavior to stream response chunks to downstream handlers as they arrive, rather than accumulating the full response body in memory. The fix also prevents late deduplication when body streaming has already commenced, eliminating the memory accumulation condition.

Users should upgrade to the first official Undici releases (and Node.js distributions where applicable) that include this security patch. Refer to the GitHub Advisory GHSA-phc3-fgpg-7m6h for specific version information.

Additional resources:

Workarounds

  • Disable the interceptors.deduplicate() feature until patches can be applied
  • Implement upstream response size limits using reverse proxies or middleware
  • Avoid using deduplication interceptor for requests to untrusted or external endpoints
  • Configure Node.js memory limits (--max-old-space-size) to prevent complete system exhaustion while accepting potential service restarts

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne