CVE-2024-30261 Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

2024-04-0415:09:11

CWE-284

GitHub_M

github.com

undici

fetch integrity

vulnerability

patched

http/1.1

node.js

CVSS3

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

AI Score

7.2

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:nodejs:undici:*:*:*:*:*:*:*:*"
    ],
    "vendor": "nodejs",
    "product": "undici",
    "versions": [
      {
        "status": "affected",
        "version": "6.0.0",
        "lessThan": "6.11.1",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "5.28.4",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]