CVE-2024-24750

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663	Patch
https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw	Vendor Advisory
https://security.netapp.com/advisory/ntap-20240419-0006/	Third Party Advisory
https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663	Patch
https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw	Vendor Advisory
https://security.netapp.com/advisory/ntap-20240419-0006/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*

History

17 Dec 2024, 17:40

Type	Values Removed	Values Added
First Time		Nodejs Nodejs undici
References	~~() https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663 -~~	() https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663 - Patch
References	~~() https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw -~~	() https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw - Vendor Advisory
References	~~() https://security.netapp.com/advisory/ntap-20240419-0006/ -~~	() https://security.netapp.com/advisory/ntap-20240419-0006/ - Third Party Advisory
CPE		cpe:2.3:a:nodejs:undici::::::node.js::*
CWE		CWE-401

Information

Published : 2024-02-16 22:15

Updated : 2024-12-17 17:40

NVD link : CVE-2024-24750

Mitre link : CVE-2024-24750

CVE.ORG link : CVE-2024-24750

JSON object : View

Products Affected

nodejs

undici

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2024-24750", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-02-16T22:15:07.947", "references": [{"url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20240419-0006/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20240419-0006/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body."}, {"lang": "es", "value": "Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. En las versiones afectadas, llamar a `fetch(url)` y no consumir el cuerpo entrante ((o consumirlo muy lentamente) provocar\u00e1 una p\u00e9rdida de memoria. Este problema se solucion\u00f3 en la versi\u00f3n 6.6.1. Se recomienda a los usuarios actualizar. Los usuarios no pueden Para actualizar debe asegurarse de consumir siempre el cuerpo entrante."}], "lastModified": "2024-12-17T17:40:47.303", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "86BD557D-23A2-411A-80E5-D0F212737103", "versionEndExcluding": "6.6.1", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}