Description
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).

In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.

Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies.

PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.

Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.
Published: 2026-03-12
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Undici, the HTTP client library used by many Node.js applications, has a flaw that allows uncontrolled memory consumption when its deduplication interceptor is enabled. The vulnerability causes response data for identical requests to be buffered in memory rather than streamed to downstream handlers, resulting in unbounded growth in memory usage. If an attacker can control or influence a upstream endpoint to return large or chunked responses and multiple identical requests are sent concurrently, the process will exhaust available memory, potentially leading to an out‑of‑memory (OOM) error and a denial of service. The underlying weakness is identified as an unbounded unchecked resource consumption (CWE‑770, CWE‑400).

Affected Systems

Systems affected are Node.js applications that depend on the Undici package with its deduplication interceptor enabled. The vulnerability is present in older undici releases prior to the first official patched release. Exact version ranges are not specified in the advisory, but any installation of Undici that has the interceptor enabled and has not applied the patch is susceptible.

Risk and Exploitability

Risk assessment classifies the issue with a CVSS score of 5.9, indicating a medium severity. The EPSS score of less than 1% suggests that exploitation is currently uncommon or unlikely. The vulnerability is not listed in the CISA KEV catalog, implying it is not a known exploited vulnerability. Exploitation requires the application to receive large or chunked responses from an upstream service and simultaneously process several identical requests, meaning the exploitation vector is remote, likely over HTTP or HTTPS, and depends on the application’s network exposure. While the conditions are specific, the impact on memory limits makes the exploit potentially effective for attackers who can trigger the conditions.

Generated by OpenCVE AI on March 18, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Undici to the first official release that includes the patch, which changes deduplication to stream response chunks and prevents late deduplication when streaming has started.

Generated by OpenCVE AI on March 18, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-phc3-fgpg-7m6h Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
History

Wed, 18 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs undici
CPEs cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Vendors & Products Nodejs
Nodejs undici

Fri, 13 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination. Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies. PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started. Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.
Title undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nodejs Undici
Undici Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-13T18:04:58.799Z

Reserved: 2026-02-16T12:07:35.310Z

Link: CVE-2026-2581

cve-icon Vulnrichment

Updated: 2026-03-13T18:04:54.993Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T21:16:25.930

Modified: 2026-03-18T13:37:08.920

Link: CVE-2026-2581

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-12T20:13:19Z

Links: CVE-2026-2581 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:28Z

Weaknesses