प्लेटफ़ॉर्म
nodejs
घटक
undici
में ठीक किया गया
6.24.1
7.24.1
7.24.0
CVE-2026-2581 is a Denial of Service (DoS) vulnerability affecting the Undici HTTP client library for Node.js. This vulnerability stems from uncontrolled resource consumption when using the interceptors.deduplicate() feature. Attackers can exploit this by sending large, concurrent, identical requests to trigger excessive memory usage, potentially leading to process termination and service disruption. The vulnerability impacts Undici versions prior to 7.24.0, and a fix is available.
The primary impact of CVE-2026-2581 is a Denial of Service (DoS). An attacker can trigger this by sending a large number of identical, concurrent requests to a server utilizing Undici's deduplication interceptor. These requests, when deduplicated, can cause Undici to accumulate response data in memory. If the upstream endpoint is attacker-controlled and sends large or chunked responses, this can rapidly exhaust available memory, leading to an Out-of-Memory (OOM) error and crashing the Node.js process. The blast radius is limited to the affected Node.js application and its dependent services. This vulnerability is similar in concept to other resource exhaustion attacks, but specifically targets the deduplication feature within Undici.
CVE-2026-2581 was publicly disclosed on 2026-03-13. Its severity is rated MEDIUM. There are currently no known public proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Active exploitation is not confirmed, but the ease of triggering the vulnerability suggests potential for future exploitation.
Applications built on Node.js that utilize the Undici HTTP client library and have the interceptors.deduplicate() feature enabled are at risk. This includes applications that proxy requests or act as intermediaries, as they are more likely to handle untrusted upstream endpoints. Services relying on Undici for outbound HTTP requests are also potentially vulnerable.
• nodejs / server:
ps aux | grep undici | grep -v grep | awk '{print $6}' | xargs -n 1 pmap -x | grep -q 'total' && echo "Potential DoS vulnerability - high memory usage detected"• nodejs / server:
journalctl -u node -f | grep -i "oom"• nodejs / server:
lsof -p $(pgrep node) | grep -i 'large_response_url'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (4% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-2581 is to upgrade to Undici version 7.24.0 or later, which includes a fix for the uncontrolled resource consumption issue. If upgrading is not immediately feasible, consider disabling the interceptors.deduplicate() feature, though this will impact the deduplication functionality. As a temporary workaround, implement rate limiting on incoming requests to reduce the number of concurrent requests processed. Monitoring memory usage within the Node.js process is also recommended to detect potential DoS attacks. After upgrading, confirm the fix by sending a series of large, identical requests and verifying that memory usage remains within acceptable limits.
Actualice a la versión 6.24.0 o superior, o a la versión 7.24.0 o superior, según corresponda a su rama de versión. Esto corrige la vulnerabilidad de consumo de memoria no controlado en el manejador de deduplicación de Undici.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-2581 is a Denial of Service vulnerability in the Undici Node.js HTTP client. It allows attackers to cause excessive memory consumption by sending large, concurrent requests, potentially crashing the application.
You are affected if you are using Undici versions prior to 7.24.0 and have the interceptors.deduplicate() feature enabled. Assess your dependencies and upgrade accordingly.
Upgrade to Undici version 7.24.0 or later. If upgrading is not possible, disable interceptors.deduplicate() or implement rate limiting.
Active exploitation is not currently confirmed, but the vulnerability's nature suggests a potential for future exploitation.
Refer to the Undici project's release notes and security advisories on their GitHub repository for the latest information: [https://github.com/undici/undici](https://github.com/undici/undici)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।