Fluid Attacks Database

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-undici	>=0 <5.28.4+dfsg1+~cs23.12.11-1	5.28.4+dfsg1+~cs23.12.11-1
debian 12	node-undici	=5.15.0+dfsg1+~cs20.10.9.3-1 \|\| =5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1 \|\| =5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2 \|\| =5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 \|\| =5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 \|\| =5.19.1+dfsg1+~cs20.10.9.5-1 \|\| =5.19.1+dfsg1+~cs20.10.9.5-2 \|\| =5.22.1+dfsg1+~cs20.10.10.2-1 \|\| =5.26.3+dfsg1+~cs23.10.12-1 \|\| =5.26.3+dfsg1+~cs23.10.12-2 \|\| =5.26.3+dfsg1+~cs23.10.12-3 \|\| =5.28.0+dfsg1+~cs23.11.12.3-1 \|\| =5.28.0+dfsg1+~cs23.11.12.3-2 \|\| =5.28.2+dfsg1+~cs23.11.12.3-1 \|\| =5.28.2+dfsg1+~cs23.11.12.3-2 \|\| =5.28.2+dfsg1+~cs23.11.12.3-3 \|\| =5.28.2+dfsg1+~cs23.11.12.3-4 \|\| =5.28.2+dfsg1+~cs23.11.12.3-5 \|\| =5.28.2+dfsg1+~cs23.11.12.3-6 \|\| =5.28.4+dfsg1+~cs23.12.11-1 \|\| =5.28.4+dfsg1+~cs23.12.11-2 \|\| =7.1.0+dfsg1+~cs24.12.10-1 \|\| =7.15.0+dfsg+~cs3.2.0-1 \|\| =7.15.0+dfsg+~cs3.2.0-3 \|\| =7.16.0+dfsg+~cs3.2.0-1 \|\| =7.16.0+dfsg+~cs3.2.0-2 \|\| =7.18.2+dfsg+~cs3.2.0-1 \|\| =7.2.3+dfsg1+~cs24.12.11-1 \|\| =7.2.3+dfsg1+~cs24.12.11-2 \|\| =7.24.5+dfsg+~cs3.2.0-1 \|\| =7.24.6+dfsg+~cs3.2.0-1 \|\| =7.24.6+dfsg+~cs3.2.0-2 \|\| =7.3.0+dfsg1+~cs24.12.11-1 \|\| =7.3.0+dfsg1+~cs24.12.11-2	-
debian 13	node-undici	>=0 <5.28.4+dfsg1+~cs23.12.11-1	5.28.4+dfsg1+~cs23.12.11-1
npm	undici	>=0 <5.28.4 \|\| >=6.0.0 <6.11.1	5.28.4, 6.11.1

Aliases

1. CVE-2024-302612. NVD-2024-302613. OSV-DEBIAN-2024-302614. OSV-2024-302615. GHSA-9qxr-qj54-h6726. GCVE-2024-302617. SECURITY-TRACKER-CVE-2024-30261

References

1. https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h6722. https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae260553. https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f34. https://hackerone.com/reports/23777605. https://lists.fedoraproject.org/archives/list/[email protected]/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB336. https://lists.fedoraproject.org/archives/list/[email protected]/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ7. https://lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E8. https://security.netapp.com/advisory/ntap-20240905-0008