Memory Leak Affecting anythingllm package, versions *


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.25% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-ANYTHINGLLM-16339140
  • published2 May 2026
  • disclosed15 May 2025

Introduced: 15 May 2025

CVE-2025-47279  (opens in a new tab)
CWE-401  (opens in a new tab)

How to fix?

There is no fixed version for Minimos:latest anythingllm.

NVD Description

Note: Versions mentioned in the description apply only to the upstream anythingllm package and not the anythingllm package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

CVSS Base Scores

version 3.1