Source: node-undici Version: 7.3.0+dfsg1+~cs24.12.11-1 Severity: important Tags: security upstream Forwarded: https://github.com/nodejs/undici/issues/3895 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-undici. CVE-2025-47279[0]: | Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, | 6.21.2, and 7.5.0, applications that use undici to implement a | webhook-like system are vulnerable. If the attacker set up a server | with an invalid certificate, and they can force the application to | call the webhook repeatedly, then they can cause a memory leak. This | has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a | workaound, avoid calling a webhook repeatedly if the webhook fails. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-47279 https://www.cve.org/CVERecord?id=CVE-2025-47279 [1] https://github.com/nodejs/undici/issues/3895 [2] https://github.com/nodejs/undici/pull/4088 Regards, Salvatore
