CVE-2024-30261

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
GitHub_MCNA
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
VendorProductVersion
nodejsundici
𝑥
< 5.28.4
nodejsundici
6.0.0 ≤
𝑥
< 6.11.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-undici
bookworm
no-dsa
bookworm (security)
vulnerable
trixie
7.3.0+dfsg1+~cs24.12.11-1
fixed
sid
7.3.0+dfsg1+~cs24.12.11-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-undici
plucky
not-affected
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
dne
focal
dne
Common Weakness Enumeration
References
https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
https://hackerone.com/reports/2377760
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
https://hackerone.com/reports/2377760
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/