Undici HTTP Client Webhook Memory Leak Vulnerability

A denial-of-service vulnerability has been identified in the Undici HTTP/1.1 client for Node.js, specifically in versions prior to 5.29.0, 6.0.0 through 6.21.2, and 7.0.0 through 7.5.0. The issue arises in applications that use Undici to implement webhook-like systems. If an attacker sets up a server with an invalid certificate and can force the application to repeatedly call the webhook, this can lead to a memory leak. The vulnerability has been patched in versions 5.29.0, 6.21.2, and 7.5.0.

Impact

Exploitation of this vulnerability causes a memory leak in the application, which can lead to out-of-memory errors, especially when the Node.js process is running with low memory limits.

Reproduction

The vulnerability can be reproduced by installing Undici version 7.0.0 and running a script that uses the `fetch` function from Undici to make repeated requests to a server with a bad TLS certificate. The response body should be consumed to simulate real-world usage, which will trigger the memory leak.

Remediation

Users can update to Undici versions 5.29.0, 6.21.2, or 7.5.0 to address this vulnerability. Instructions for updating can be found in the release notes on the Undici GitHub repository.