Source: node-undici Version: 7.18.2+dfsg+~cs3.2.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-undici. CVE-2026-2581[0]: | This is an uncontrolled resource consumption vulnerability (CWE-400) | that can lead to Denial of Service (DoS). In vulnerable Undici | versions, when interceptors.deduplicate() is enabled, response data | for deduplicated requests could be accumulated in memory for | downstream handlers. An attacker-controlled or untrusted upstream | endpoint can exploit this with large/chunked responses and | concurrent identical requests, causing high memory usage and | potential OOM process termination. Impacted users are applications | that use Undici’s deduplication interceptor against endpoints that | may produce large or long-lived response bodies. PatchesThe issue | has been patched by changing deduplication behavior to stream | response chunks to downstream handlers as they arrive (instead of | full-body accumulation), and by preventing late deduplication when | body streaming has already started. Users should upgrade to the | first official Undici (and Node.js, where applicable) releases that | include this patch. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-2581 https://www.cve.org/CVERecord?id=CVE-2026-2581 [1] https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h Please adjust the affected versions in the BTS as needed. Regards, Salvatore
