Lucene search

GitHub Advisory DatabaseGHSA-9F24-JQHM-JFCW

HistoryFeb 16, 2024 - 3:59 p.m.

fetch(url) leads to a memory leak in undici

2024-02-1615:59:38

CWE-400

GitHub Advisory Database

github.com

undici

memory leak

fetch

software

patches

workarounds

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Impact

Calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak.

Patches

Patched in v6.6.1

Workarounds

Make sure to always consume the incoming body.

Affected configurations

Vulners

Node

nodejsundiciRange≤6.6.0

CPENameOperatorVersion
undicile6.6.0

CPE	Name	Operator	Version
	undici	le	6.6.0

References

github.com/advisories/GHSA-9f24-jqhm-jfcw

github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663

github.com/nodejs/undici/releases/tag/v6.6.1

github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw

nvd.nist.gov/vuln/detail/CVE-2024-24750

security.netapp.com/advisory/ntap-20240419-0006

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for GHSA-9F24-JQHM-JFCW