CVE-2024-30261
Published: 4 April 2024
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Priority
Status
Package | Release | Status |
---|---|---|
node-undici Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Needs triage
|
|
noble |
Needs triage
|
|
upstream |
Released
(5.28.4+dfsg1+~cs23.12.11-1)
|
References
- https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
- https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055 (v5.28.4)
- https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3 (v6.11.1)
- https://hackerone.com/reports/2377760
- https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
- https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
- https://www.cve.org/CVERecord?id=CVE-2024-30261
- NVD
- Launchpad
- Debian