Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-vdca-exd1-rfce

Summary

Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
## Impact
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).

In vulnerable Undici versions, when `interceptors.deduplicate()` is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.

Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies.

## Patches

The issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.

Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.

## Workarounds
If upgrading immediately is not possible:

- Disable `interceptors.deduplicate()` for affected clients/routes.
- Use `skipHeaderNames` with a marker header to force high-risk requests to bypass deduplication.
- Avoid concurrent identical requests to untrusted endpoints that may return very large/chunked bodies.
- Apply upstream/proxy response-size and timeout limits.

Aliases

alias	CVE-2026-2581

alias	GHSA-phc3-fgpg-7m6h

Fixed_packages

url	pkg:deb/debian/node-undici@0?distro=trixie
purl	pkg:deb/debian/node-undici@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@0%3Fdistro=trixie

url pkg:deb/debian/node-undici@5.15.0%2Bdfsg1%2B~cs20.10.9.3-1%2Bdeb12u4?distro=trixie

purl pkg:deb/debian/node-undici@5.15.0%2Bdfsg1%2B~cs20.10.9.3-1%2Bdeb12u4?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1294-r4v2-3ud7

vulnerability	VCID-g9bm-61bn-ryg5

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-pah5-gspe-hbbh

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-u8t3-4awy-k3fm

vulnerability	VCID-xx5u-7mmp-akfs

vulnerability	VCID-z653-vqsc-euer

vulnerability	VCID-z7ac-jr58-gkfm

vulnerability	VCID-zb3h-efqz-dff3

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@5.15.0%252Bdfsg1%252B~cs20.10.9.3-1%252Bdeb12u4%3Fdistro=trixie

url	pkg:deb/debian/node-undici@7.24.5%2Bdfsg%2B~cs3.2.0-1?distro=trixie
purl	pkg:deb/debian/node-undici@7.24.5%2Bdfsg%2B~cs3.2.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.5%252Bdfsg%252B~cs3.2.0-1%3Fdistro=trixie

url	pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2?distro=trixie
purl	pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2%3Fdistro=trixie

url	pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2
purl	pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2

url	pkg:npm/undici@7.24.0
purl	pkg:npm/undici@7.24.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0

Affected_packages

url pkg:deb/debian/node-undici@7.3.0%2Bdfsg1%2B~cs24.12.11-1?distro=trixie

purl pkg:deb/debian/node-undici@7.3.0%2Bdfsg1%2B~cs24.12.11-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1294-r4v2-3ud7

vulnerability	VCID-g9bm-61bn-ryg5

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

vulnerability	VCID-zb3h-efqz-dff3

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.3.0%252Bdfsg1%252B~cs24.12.11-1%3Fdistro=trixie

url pkg:deb/debian/node-undici@7.3.0%2Bdfsg1%2B~cs24.12.11-1

purl pkg:deb/debian/node-undici@7.3.0%2Bdfsg1%2B~cs24.12.11-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1294-r4v2-3ud7

vulnerability	VCID-g9bm-61bn-ryg5

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

vulnerability	VCID-zb3h-efqz-dff3

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.3.0%252Bdfsg1%252B~cs24.12.11-1

url pkg:deb/debian/node-undici@7.18.2%2Bdfsg%2B~cs3.2.0-1?distro=trixie

purl pkg:deb/debian/node-undici@7.18.2%2Bdfsg%2B~cs3.2.0-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1294-r4v2-3ud7

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.18.2%252Bdfsg%252B~cs3.2.0-1%3Fdistro=trixie

url pkg:npm/undici@7.17.0

purl pkg:npm/undici@7.17.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

vulnerability	VCID-zb3h-efqz-dff3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.17.0

url pkg:npm/undici@7.18.0

purl pkg:npm/undici@7.18.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

vulnerability	VCID-zb3h-efqz-dff3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.18.0

url pkg:npm/undici@7.18.1

purl pkg:npm/undici@7.18.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

vulnerability	VCID-zb3h-efqz-dff3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.18.1

url pkg:npm/undici@7.18.2

purl pkg:npm/undici@7.18.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.18.2

url pkg:npm/undici@7.19.0

purl pkg:npm/undici@7.19.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.19.0

url pkg:npm/undici@7.19.1

purl pkg:npm/undici@7.19.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.19.1

url pkg:npm/undici@7.19.2

purl pkg:npm/undici@7.19.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.19.2

url pkg:npm/undici@7.20.0

purl pkg:npm/undici@7.20.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.20.0

url pkg:npm/undici@7.21.0

purl pkg:npm/undici@7.21.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.21.0

url pkg:npm/undici@7.22.0

purl pkg:npm/undici@7.22.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.22.0

url pkg:npm/undici@7.23.0

purl pkg:npm/undici@7.23.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.23.0

url pkg:rpm/redhat/nodejs24@1:24.14.1-2?arch=el10_1

purl pkg:rpm/redhat/nodejs24@1:24.14.1-2?arch=el10_1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1vp3-fzdr-yqbm

vulnerability	VCID-2t7c-dju9-pff6

vulnerability	VCID-96yh-1wub-zucg

vulnerability	VCID-bjza-25hu-vkad

vulnerability	VCID-dgkh-jdah-wfh9

vulnerability	VCID-dt7u-3usg-9uet

vulnerability	VCID-fetp-hvhq-dube

vulnerability	VCID-gv39-q6pw-yfh4

vulnerability	VCID-hgd1-7u6j-p7dh

vulnerability	VCID-hzsn-68be-dkej

vulnerability	VCID-n6ew-t7g1-33gn

vulnerability	VCID-ph2p-u33d-8yh3

vulnerability	VCID-q4u6-6pbw-5bcq

vulnerability	VCID-sy2z-sqgk-d7hg

vulnerability	VCID-twc8-ewm7-wkb1

vulnerability	VCID-vdca-exd1-rfce

vulnerability	VCID-xert-byqc-xbe2

vulnerability	VCID-z7ac-jr58-gkfm

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/nodejs24@1:24.14.1-2%3Farch=el10_1

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2581.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2581.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-2581

reference_id

reference_type

scores

value	0.00018
scoring_system	epss
scoring_elements	0.04293
published_at	2026-04-02T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.04366
published_at	2026-04-11T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.04373
published_at	2026-04-09T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.04357
published_at	2026-04-08T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.04325
published_at	2026-04-07T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.04314
published_at	2026-04-04T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.04353
published_at	2026-04-12T12:55:00Z

value	0.00019
scoring_system	epss
scoring_elements	0.05043
published_at	2026-04-13T12:55:00Z

value	0.00019
scoring_system	epss
scoring_elements	0.04985
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-2581

reference_url

https://cna.openjsf.org/security-advisories.html

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:49Z/

url

https://cna.openjsf.org/security-advisories.html

reference_url

https://github.com/nodejs/undici

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/nodejs/undici

reference_url

https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:49Z/

url

https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h

reference_url

https://hackerone.com/reports/3513473

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:49Z/

url

https://hackerone.com/reports/3513473

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-2581

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-2581

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130885
reference_id	1130885
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130885

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2447140
reference_id	2447140
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2447140

reference_url

https://github.com/advisories/GHSA-phc3-fgpg-7m6h

reference_id

GHSA-phc3-fgpg-7m6h

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-phc3-fgpg-7m6h

reference_url	https://access.redhat.com/errata/RHSA-2026:7350
reference_id	RHSA-2026:7350
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7350

reference_url	https://access.redhat.com/errata/RHSA-2026:7670
reference_id	RHSA-2026:7670
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7670

reference_url	https://access.redhat.com/errata/RHSA-2026:7675
reference_id	RHSA-2026:7675
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7675

Weaknesses

cwe_id	770
name	Allocation of Resources Without Limits or Throttling
description	The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

cwe_id	400
name	Uncontrolled Resource Consumption
description	The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vdca-exd1-rfce

Vulnerability Instance