CVE-2024-24750

2024-02-1622:15:07

Debian Security Bug Tracker

security-tracker.debian.org

undici http/1.1 client

node.js

memory leak.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

OSVersionArchitecturePackageVersionFilename
Debian12allnode-undici< 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3_all.deb
Debian999allnode-undici< 5.28.4+dfsg1+~cs23.12.11-2node-undici_5.28.4+dfsg1+~cs23.12.11-2_all.deb
Debian13allnode-undici< 5.28.4+dfsg1+~cs23.12.11-2node-undici_5.28.4+dfsg1+~cs23.12.11-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	node-undici	< 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3	node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3_all.deb
Debian	999	all	node-undici	< 5.28.4+dfsg1+~cs23.12.11-2	node-undici_5.28.4+dfsg1+~cs23.12.11-2_all.deb
Debian	13	all	node-undici	< 5.28.4+dfsg1+~cs23.12.11-2	node-undici_5.28.4+dfsg1+~cs23.12.11-2_all.deb