CVE-2024-30261

CWE-284 — Improper Access Control8 documents7 sources

Severity

3.5LOW

EPSS

0.1%

top 81.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Undici Fedoraproject Fedora

Timeline

PublishedApr 4

Latest updateApr 9

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5nodejs/undici< 5.28.4+1

▶NVDnodejs/undici6.0.0 — 6.11.1+1

▶Debiannode-undici< 5.28.4+dfsg1+~cs23.12.11-1+1

▶npmundici6.0.0 — 6.11.1+1

Also affects: Fedora 38, 39, 40

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect↗2024-04-04

▶

CVEList

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect↗2024-04-04

▶

OSV

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect↗2024-04-04

▶

OSV

CVE-2024-30261: Undici is an HTTP/1↗2024-04-04

▶

📋Vendor Advisories

Microsoft

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect↗2024-04-09

▶

Red Hat

nodejs-undici: fetch() with integrity option is too lax when algorithm is specified but hash value is in incorrect↗2024-04-04

▶

Debian

CVE-2024-30261: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can ...↗2024

▶