CVE-2024-38372

EUVD-2024-2235
Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
nodejsundici
6.14.0 ≤
𝑥
< 6.19.2
ADP
Debian logo
Debian Releases
Debian Product
Codename
node-undici
bookworm
5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4
fixed
bookworm (security)
5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3
fixed
forky
7.16.0+dfsg+~cs3.2.0-2
fixed
sid
7.16.0+dfsg+~cs3.2.0-2
fixed
trixie
7.3.0+dfsg1+~cs24.12.11-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-undici
focal
dne
jammy
dne
mantic
ignored
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
Common Weakness Enumeration
References
https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36
https://github.com/nodejs/undici/issues/3328
https://github.com/nodejs/undici/issues/3337
https://github.com/nodejs/undici/pull/3338
https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq
https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36
https://github.com/nodejs/undici/issues/3328
https://github.com/nodejs/undici/issues/3337
https://github.com/nodejs/undici/pull/3338
https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq
https://security.netapp.com/advisory/ntap-20240828-0009/