CVE-2024-24750

CWE-400 — Uncontrolled Resource Consumption CWE-401 — Memory Leak7 documents6 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 45.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Undici

Timeline

PublishedFeb 16

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDnodejs/undici6.0.0 — 6.6.1

▶CVEListV5nodejs/undici>= 6.0.0, < 6.6.1

▶npmundici6.0.0 — 6.6.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Backpressure request ignored in fetch() in Undici↗2024-02-16

▶

OSV

fetch(url) leads to a memory leak in undici↗2024-02-16

▶

OSV

CVE-2024-24750: Undici is an HTTP/1↗2024-02-16

▶

GHSA

fetch(url) leads to a memory leak in undici↗2024-02-16

▶

📋Vendor Advisories

Red Hat

undici: memory leak↗2024-02-16

▶

Debian

CVE-2024-24750: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected vers...↗2024

▶