CVE-2026-2581

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).<br /> <br /> In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.<br /> <br /> Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies.<br /> <br /> PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.<br /> <br /> Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.