CVE-2024-30261
published 2024-04-04CVE-2024-30261: Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept…
low3.5CVSS 3.1
AVNACLPRLUIRSUCNILAN
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-undici | < node-undici 5.28.4+dfsg1+~cs23.12.11-1 (forky) | node-undici 5.28.4+dfsg1+~cs23.12.11-1 (forky) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | azl3_nodejs_20.10.0-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_nodejs_20.14.0-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_nodejs18_18.18.2-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs18_18.20.2-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| nodejs | undici | < 5.28.4 | 5.28.4 |
| nodejs | undici | — | — |
| nodejs | undici | >= 0 < 5.28.4 | 5.28.4 |
| nodejs | undici | >= 6.0.0 < 6.11.1 | 6.11.1 |
| nodejs | undici | >= 6.0.0 < 6.11.1 | 6.11.1 |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
osv3.5LOW