CVE-2026-2581

{"id": "CVE-2026-2581", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2026-03-12T21:16:25.930", "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://hackerone.com/reports/3513473", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).\n\nIn vulnerable Undici versions, when\u00a0interceptors.deduplicate()\u00a0is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.\n\nImpacted users are applications that use Undici\u2019s deduplication interceptor against endpoints that may produce large or long-lived response bodies.\n\nPatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.\n\nUsers should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch."}, {"lang": "es", "value": "Esta es una vulnerabilidad de consumo de recursos no controlado (CWE-400) que puede conducir a una denegaci\u00f3n de servicio (DoS).\n\nEn versiones vulnerables de Undici, cuando interceptors.deduplicate() est\u00e1 habilitado, los datos de respuesta para solicitudes deduplicadas podr\u00edan acumularse en la memoria para los manejadores posteriores. Un endpoint ascendente controlado por un atacante o no confiable puede explotar esto con respuestas grandes/en fragmentos y solicitudes id\u00e9nticas concurrentes, causando un alto uso de memoria y una posible terminaci\u00f3n del proceso por OOM.\n\nLos usuarios afectados son aplicaciones que utilizan el interceptor de deduplicaci\u00f3n de Undici contra endpoints que pueden producir cuerpos de respuesta grandes o de larga duraci\u00f3n.\n\nParches. El problema ha sido parcheado cambiando el comportamiento de deduplicaci\u00f3n para transmitir fragmentos de respuesta a los manejadores posteriores a medida que llegan (en lugar de la acumulaci\u00f3n del cuerpo completo), y evitando la deduplicaci\u00f3n tard\u00eda cuando la transmisi\u00f3n del cuerpo ya ha comenzado.\n\nLos usuarios deber\u00edan actualizar a las primeras versiones oficiales de Undici (y Node.js, cuando corresponda) que incluyan este parche."}], "lastModified": "2026-03-13T20:06:54.667", "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb"}