CVE-2026-2581
Received Received - Intake
Uncontrolled Resource Consumption in Undici Deduplication Causes DoS

Publication date: 2026-03-12

Last updated on: 2026-03-18

Assigner: openjs

Description
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination. Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies. PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started. Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-18
Generated
2026-05-07
AI Q&A
2026-03-12
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2581
EUVD
EUVD-2026-11705
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nodejs undici From 7.17.0 (inc) to 7.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-2581 is a moderate severity vulnerability in the Undici HTTP client library that occurs when the deduplication feature (interceptors.deduplicate()) is enabled.

The vulnerability arises because response data for deduplicated requests is buffered entirely in memory before being passed to downstream handlers, instead of streaming the data as it arrives.

An attacker controlling or influencing an upstream endpoint can exploit this by sending large or chunked responses combined with concurrent identical requests, causing unbounded memory consumption.

This can lead to Denial of Service (DoS) through out-of-memory (OOM) process termination.


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': "If your application uses Undici's deduplication interceptor against endpoints that may produce large or long-lived response bodies, this vulnerability can cause your application to consume excessive memory."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by sending large or chunked responses with concurrent identical requests, leading to high memory usage.'}, {'type': 'paragraph', 'content': 'This excessive memory consumption can cause your application to crash or become unavailable due to out-of-memory (OOM) process termination, resulting in Denial of Service (DoS).'}] [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for high memory usage and potential out-of-memory (OOM) process termination in applications using Undici with interceptors.deduplicate() enabled.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered by large or chunked responses combined with concurrent identical requests, you can look for patterns of such requests in your logs or network traffic.'}, {'type': 'paragraph', 'content': 'Suggested commands include monitoring memory usage of the affected process and checking for concurrent identical requests to untrusted endpoints:'}, {'type': 'list_item', 'content': "Use system tools like 'top' or 'htop' to monitor memory consumption of the Node.js process running Undici."}, {'type': 'list_item', 'content': "Use 'netstat' or 'ss' to inspect active network connections and identify multiple concurrent identical requests."}, {'type': 'list_item', 'content': 'Analyze application logs for repeated identical requests to the same upstream endpoints.'}, {'type': 'list_item', 'content': "Use packet capture tools like 'tcpdump' or 'Wireshark' to inspect HTTP traffic for large or chunked responses combined with concurrent identical requests."}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading to Undici version 7.24.0 or later, where the vulnerability is patched.

If upgrading immediately is not possible, the following steps can help reduce risk:

  • Disable interceptors.deduplicate() on affected routes to prevent accumulation of full response bodies in memory.
  • Use skipHeaderNames with marker headers to bypass deduplication for requests that may return large or chunked responses.
  • Avoid sending concurrent identical requests to untrusted upstream endpoints that might produce large or chunked responses.
  • Apply upstream or proxy limits on response size and timeouts to prevent excessive resource consumption.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart