CVE-2024-38372

CWE-2016 documents5 sources
Severity
2.0LOW
EPSS
0.2%
top 55.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Undici
Timeline
PublishedJul 8
Latest updateJul 9

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:NExploitability: 0.5 | Impact: 1.4

Affected Packages2 packages

CVEListV5nodejs/undici>= 6.14.0, < 6.19.2
npmundici6.14.06.19.2

🔴Vulnerability Details

4
OSV
Undici vulnerable to data leak when using response.arrayBuffer()2024-07-09
GHSA
Undici vulnerable to data leak when using response.arrayBuffer()2024-07-09
CVEList
Undici vulnerable to data leak when using response.arrayBuffer()2024-07-08
OSV
CVE-2024-38372: Undici is an HTTP/12024-07-08

📋Vendor Advisories

1
Debian
CVE-2024-38372: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on net...2024
CVE-2024-38372 (LOW CVSS 2) | Undici is an HTTP/1.1 client | cvebase.io