CVE-2026-2581

Name of the Vulnerable Software and Affected Versions Undici versions prior to 7.24.0

Description This is an uncontrolled resource consumption issue that can lead to a Denial of Service (DoS). When the interceptors.deduplicate() function is enabled in vulnerable versions, response data for deduplicated requests can accumulate in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large or chunked responses and concurrent identical requests, causing high memory usage and potential Out Of Memory (OOM) process termination. Impacted users are applications that utilize Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies. The issue is addressed by changing the deduplication behavior to stream response chunks to downstream handlers as they arrive, instead of accumulating the full body, and by preventing late deduplication when body streaming has already started.

Recommendations Upgrade to Undici version 7.24.0 or later. Disable the interceptors.deduplicate() function for affected clients or routes. Use skipHeaderNames with a marker header to force high-risk requests to bypass deduplication. Avoid concurrent identical requests to untrusted endpoints that may return very large or chunked bodies. Apply upstream or proxy response-size and timeout limits.