Back to Vulnerability List

Node.js: Undici: Unbounded Memory Consumption in DeduplicationHandler — DoS

CVE-2026-2581 High Published

CVSS

5.9 Medium · Network · No PR

EPSS

0.00019 0.0% chance of exploit in 30d

CWE

CWE-400 Uncontrolled Resource Consumption

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Per GHSA-phc3-fgpg-7m6h: “This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers.”

Affected Packages / Versions

Package: undici (npm)
Latest published version at triage time: Prior to 7.24.0
Affected range: Per GHSA-phc3-fgpg-7m6h: undici >= 7.17.0, < 7.24.0
Patched version: Undici 7.24.0

Impact

Per GHSA: “An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.” Affected users: “applications that use Undici’s deduplication interceptor against endpoints that may p[ush large responses]”.

Severity Rationale

GHSA severity: MEDIUM. NVD CVSS 5.9 (Medium): network AV, high complexity (upstream-control precondition), no privileges or UI, availability-only impact.

Fix

Per GHSA: upgrade Undici to 7.24.0 or later.

Disclosure timeline

TBDReported to vendor
TBDPatch released (Undici 7.24.0)
Mar 13, 2026GHSA-phc3-fgpg-7m6h published

Fix Commit(s)

References

Discovered by Adnan Jakati (Praetorian) — per cve-research listing · Published April 29, 2026

Praetorian Guard Platform

Penetration Testing Services

Advanced Offensive Security

Continuous Offensive Security

Customer Case Studies

Resources

Use Cases

About Praetorian

Join Praetorian