Fluid Attacks Database

Description

Undici vulnerable to data leak when using response.arrayBuffer()

Impact

Depending on network and process conditions of a fetch() request, response.arrayBuffer() might include portion of memory from the Node.js process.

Patches

This has been patched in v6.19.2.

Workarounds

There are no known workaround.

References

https://github.com/nodejs/undici/issues/3337 https://github.com/nodejs/undici/issues/3328 https://github.com/nodejs/undici/pull/3338 https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	undici	>=6.14.0 <6.19.2	6.19.2

Aliases

1. CVE-2024-383722. NVD-2024-383723. OSV-2024-383724. GHSA-3g92-w8c5-73pq5. GCVE-2024-38372

References

1. https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq2. https://github.com/nodejs/undici/issues/33283. https://github.com/nodejs/undici/issues/33374. https://github.com/nodejs/undici/pull/33385. https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.