Undici Uncontrolled Resource Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability due to uncontrolled resource consumption has been identified in Undici versions 7.17.0 prior to 7.24.0. When the deduplication interceptor is enabled, response data from deduplicated requests can accumulate in memory for downstream handlers. This issue can be exploited by an attacker-controlled or untrusted upstream endpoint that sends large or chunked responses along with concurrent identical requests. The result is high memory usage, potentially leading to out-of-memory process termination. Applications using Undici's deduplication interceptor with endpoints that generate large or long-lived response bodies are impacted.

Impact

Exploitation of this vulnerability causes high memory usage, with the potential for the process to terminate due to out-of-memory conditions.

Remediation

Users should upgrade to Undici version 7.24.0 or later. If an immediate upgrade is not possible, the deduplication interceptor can be disabled for affected clients or routes. Alternatively, high-risk requests can be forced to bypass deduplication by using the skipHeaderNames option with a marker header. It is also advisable to apply response-size and timeout limits at the upstream or proxy level.