CVE-2025-47279 is a vulnerability classified under CWE-401 (Missing Release of Memory after Effective Lifetime) found in the undici HTTP/1.1 client library for Node.js. Undici is widely used for making HTTP requests in Node.js applications, including webhook implementations. The vulnerability exists in versions prior to 5.29.0, 6.21.2, and 7.5.0. An attacker who controls a malicious server with an invalid TLS certificate can exploit this flaw by causing the vulnerable application to repeatedly call a webhook endpoint that fails certificate validation. Each failed call results in undici leaking memory because it does not properly release allocated resources after the failure. Over time, this memory leak can accumulate, leading to increased memory consumption, degraded performance, and potentially application crashes or denial of service. The vulnerability requires network access to the webhook endpoint and low privileges but has a high attack complexity since the attacker must induce repeated webhook calls and control a server with an invalid certificate. There is no impact on confidentiality or integrity, and no user interaction is required. The issue has been patched in versions 5.29.0, 6.21.2, and 7.5.0 of undici. As a temporary workaround, developers are advised to avoid retrying webhook calls repeatedly if the webhook fails, to limit memory consumption. No known exploits are reported in the wild as of the publication date.

For European organizations, the primary impact of this vulnerability is the risk of denial-of-service conditions caused by memory exhaustion in applications using vulnerable undici versions. This can lead to application instability, crashes, or degraded performance, affecting service availability. Organizations relying on webhook-based integrations or HTTP client functionality in Node.js environments are particularly at risk. While the vulnerability does not compromise data confidentiality or integrity, service disruption can impact business operations, customer experience, and compliance with service-level agreements. The risk is higher for high-traffic services or those that automatically retry failed webhook calls without proper backoff or failure handling. Given the widespread use of Node.js and undici in European tech sectors, especially in fintech, e-commerce, and SaaS providers, the vulnerability could affect critical infrastructure if left unpatched.

1. Upgrade undici to versions 5.29.0, 6.21.2, or 7.5.0 or later, depending on the version branch in use, to apply the official patch that fixes the memory leak. 2. Implement robust error handling in webhook consumers to avoid repeated immediate retries on failure, especially when certificate validation fails. Introduce exponential backoff or circuit breaker patterns to limit repeated failed calls. 3. Monitor application memory usage and set alerts for abnormal increases that could indicate exploitation attempts or leaks. 4. Conduct code reviews and dependency audits to identify usage of vulnerable undici versions in all Node.js projects. 5. Where possible, restrict network access to webhook endpoints to trusted sources and enforce strict TLS validation policies. 6. Consider implementing runtime protections such as container memory limits or process supervisors to automatically restart services before memory exhaustion causes crashes. 7. Educate developers and DevOps teams about this vulnerability to ensure timely patching and mitigation.