CVE-2024-24750

2024-02-1622:15:07

CWE-400

[email protected]

web.nvd.nist.gov

undici

http/1.1 client

node.js

memory leak

cve-2024-24750

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

15.7%

JSON

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

Affected configurations

Vulners

Node

nodejsundiciRange6.0.0–6.6.1

VendorProductVersionCPE
nodejsundici*cpe:2.3:a:nodejs:undici:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nodejs	undici	*	cpe:2.3:a:nodejs:undici::::::::

CNA Affected

[
  {
    "vendor": "nodejs",
    "product": "undici",
    "versions": [
      {
        "version": ">= 6.0.0, < 6.6.1",
        "status": "affected"
      }
    ]
  }
]