AZL-61895 CVE-2025-47279 affecting package nodejs18 for versions less than 18.20.3-6

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, th...

CVE-2025-47279

CVE-2025-47279 — Undici (Node.js HTTP/1.1 client) : A memory leak can occur in webhook-like usage when an attacker runs a server with an invalid TLS certificate and forces repeated webhook calls. The issue is fixed in Undici versions 5.29.0, 6.21.2, and 7.5.0. As a workaround, avoid calling a web...

CVE-2025-47279 undici Denial of Service attack via bad certificate data

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, th...

CVE-2025-47279 undici Denial of Service attack via bad certificate data

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, th...

CVE-2025-47279 undici Denial of Service attack via bad certificate data

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, th...

CVE-2025-47279

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, th...

GHSA-CXRH-J4JR-QWG3 undici Denial of Service attack via bad certificate data

Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. Patches This has been patched in...

Missing Release of Memory after Effective Lifetime

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime due to improper handling of invalid certificate data. An attacker can cause a memory leak by setting up...

undici Denial of Service attack via bad certificate data

Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. Patches This has been patched in...

undici 安全漏洞

undici is an HTTP/1.1 client for Node.js open source. A security vulnerability exists in undici versions prior to 5.29.0, 6.21.2, and 7.5.0, which stems from a repeated webhook call with an invalid certificate that could lead to a memory leak...

PT-2025-21343

Name of the Vulnerable Software and Affected Versions: Undici versions prior to 5.29.0 Undici versions prior to 6.21.2 Undici versions prior to 7.5.0 Description: The issue affects applications that use Undici to implement a webhook-like system. If an attacker sets up a server with an invalid...

CVE-2025-47888

Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks...

CVE-2025-47888

CVE-2025-47888 affects the Jenkins DingTalk Plugin (versions 2.7.3 and earlier). The vulnerability stems from the plugin unconditionally disabling SSL/TLS certificate and hostname validation when connecting to DingTalk webhooks, enabling potential exposure to MITM attacks and compromising confide...

CVE-2025-27936

Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...

Timing Attack

github.com/mattermost/mattermost-server is vulnerable to a Timing attack. The vulnerability is due to improper implementation of constant time comparison when comparing the MSTeams plugin webhook secret, allows an attacker to exploit timing differences in the comparison process to extract the...

SUSE CVE-2025-27936

Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...

CVE-2025-1521

CVE-2025-1521 concerns PostHog's slack_incoming_webhook processing. The vulnerability stems from inadequate validation of a URI before accessing resources, enabling a network-based SSRF that can disclose sensitive information and potentially execute code in the service account context. The initia...

PostHog 代码问题漏洞

PostHog is an all-in-one open source platform from PostHog Open Source. A code issue vulnerability exists in PostHog that stems from the lack of validation of the URI when the slackincomingwebhook parameter is processed, which could lead to server-side request forgery and information disclosure...

GHSA-2J87-P623-8CC2 Mattermost vulnerable to Observable Timing Discrepancy

Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack due to the improper handling of webhook secret comparisons. An attacker can retrieve the webhook secret by exploiting the timing discrepancy during the comparison process. Remediation Upgrade...