CVE-2024-30260

Published: 4 April 2024

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Priority

Status

Package	Release	Status
node-undici Launchpad, Ubuntu, Debian	focal	Does not exist
	jammy	Does not exist
	mantic	Needs triage
	noble	Needs triage
	upstream	Released (5.28.4+dfsg1+~cs23.12.11-1)

References

https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f (v5.28.4)
https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75 (v6.11.1)
https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
https://www.cve.org/CVERecord?id=CVE-2024-30260
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.