CVE-2024-38372

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
GitHub_MCNA
2 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Debian logo
Debian Releases
Debian Product
Codename
node-undici
bookworm
5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4
fixed
bookworm (security)
5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3
fixed
trixie
7.3.0+dfsg1+~cs24.12.11-1
fixed
sid
7.3.0+dfsg1+~cs24.12.11-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-undici
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
dne
focal
dne
Common Weakness Enumeration
References
https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36
https://github.com/nodejs/undici/issues/3328
https://github.com/nodejs/undici/issues/3337
https://github.com/nodejs/undici/pull/3338
https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq
https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36
https://github.com/nodejs/undici/issues/3328
https://github.com/nodejs/undici/issues/3337
https://github.com/nodejs/undici/pull/3338
https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq
https://security.netapp.com/advisory/ntap-20240828-0009/