Missing Release of Memory after Effective Lifetime in org.webjars.npm:github-com-nodejs-undici

CVE-2025-47279

org.webjars.npm:github-com-nodejs-undici
org.webjars.npm:undici
undici

Low

3.1/10

Summary

Undici is an HTTP/1.1 client for Node.js. In versions prior to 5.29.0, 6.x prior to 6.21.2, and 7.x prior to 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker sets up a server with an invalid certificate and they can force the application to call the webhook repeatedly, then they can cause a memory leak. As a workaround, avoid calling a webhook repeatedly if the webhook fails.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: LOW

CWE-401 - Missing release of memory after effective lifetime (memory leak)

'Missing release of memory after effective lifetime (memory leak)' is a weakness that occurs when software doesn't effectively release allocated memory after it is used. If not addressed, this enables attackers to launch denial of service attacks (by crashing or hanging the program) or take advantage of other unexpected behavior resulting from low memory conditions.

References

Advisory Timeline

Published May 15, 2025

Missing Release of Memory after Effective Lifetime in org.webjars.npm:github-com-nodejs-undici

CVE-2025-47279

Summary

CWE-401 - Missing release of memory after effective lifetime (memory leak)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS