Undici deduplication interceptor memory OOM | 7.23
CVE-2026-2581 Published on March 12, 2026

undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination. Impacted users are applications that use Undicis deduplication interceptor against endpoints that may produce large or long-lived response bodies. PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started. Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.

Github Repository NVD

Vulnerability Analysis

CVE-2026-2581 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.


Products Associated with CVE-2026-2581

Want to know whenever a new CVE is published for nodejs Undici? stack.watch will email you.

nodejs Undici
 

Affected Versions

undici:

Vulnerable Packages

The following package name and versions may be associated with CVE-2026-2581

Package Manager Vulnerable Package Versions Fixed In
npm undici >= 7.17.0, < 7.24.0 7.24.0

Exploit Probability

EPSS
0.07%
Percentile
20.97%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.