CVE-2025-47279: 
JavaScript vulnerability analysis and mitigation

Undici, an HTTP/1.1 client for Node.js, was found to contain a memory leak vulnerability (CVE-2025-47279) discovered on May 15, 2025. The vulnerability affects versions prior to 5.29.0, 6.21.2, and 7.5.0, specifically impacting applications that use undici to implement webhook-like systems (GitHub Advisory).

The vulnerability is characterized by a memory leak that occurs when handling invalid certificates in webhook implementations. It has been assigned a CVSS v3.1 score of 3.1 (Low) with a vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L. The technical nature of the vulnerability involves continuous memory allocation without proper release when repeatedly calling endpoints that present invalid TLS certificates (GitHub Advisory).

When exploited, this vulnerability can lead to excessive memory consumption over time, potentially resulting in resource exhaustion and affecting the availability and stability of applications that rely on Undici for webhook communication. The impact is particularly significant in systems that implement webhook-like functionality where repeated calls to endpoints with invalid certificates can occur (GitHub Advisory).

The vulnerability has been patched in Undici versions 5.29.0, 6.21.2, and 7.5.0. As a workaround for unpatched versions, it is recommended to avoid repeatedly calling a webhook if it fails, particularly when encountering certificate-related errors. Users should upgrade to the patched versions to fully address the vulnerability (GitHub Advisory).

The vulnerability was initially reported as issue #3895 on GitHub and subsequently addressed through pull request #4088. The fix has been widely adopted by dependent projects, including kubernetes-fluent-client, which incorporated the patch in their version 3.4.5 update (GitHub Issue).