CVE-2024-30260
Published: 4 April 2024
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Priority
Status
Package | Release | Status |
---|---|---|
node-undici Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Needs triage
|
|
noble |
Needs triage
|
|
upstream |
Released
(5.28.4+dfsg1+~cs23.12.11-1)
|
References
- https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
- https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f (v5.28.4)
- https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75 (v6.11.1)
- https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
- https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
- https://www.cve.org/CVERecord?id=CVE-2024-30260
- NVD
- Launchpad
- Debian