CVE-2025-47279

ADVISORY - github

Summary

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

EPSS Score⁠: 0.00043 (0.122)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-401⁠

Missing Release of Memory after Effective Lifetime

ADVISORY - github

CWE-401⁠

Missing Release of Memory after Effective Lifetime

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-401⁠

Missing Release of Memory after Effective Lifetime

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-401⁠

Missing Release of Memory after Effective Lifetime

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.