CVE-2024-30261 Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

2024-04-0415:09:11

CWE-284

GitHub_M

www.cve.org

undici

http/1.1

fetch

integrity

vulnerability

patch

2.6 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

4.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CNA Affected

[
  {
    "vendor": "nodejs",
    "product": "undici",
    "versions": [
      {
        "version": ">= 6.0.0, < 6.11.1",
        "status": "affected"
      },
      {
        "version": "< 5.28.4",
        "status": "affected"
      }
    ]
  }
]