CVE-2024-24750
Published: 16 February 2024
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
node-undici Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| mantic |
Needs triage
|
|
| noble |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(debian: Vulnerable code not present)
|
|
| xenial |
Does not exist
|
References
- https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw
- https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663 (v6.6.1)
- https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663
- https://www.cve.org/CVERecord?id=CVE-2024-24750
- NVD
- Launchpad
- Debian