CVE-2024-38372

Low

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request,…

GitHub_M·CWE-201·Published 2024-07-08

CVSS

2.0

EPSS

0.00

KEV

Exploits

cve.orgen

248 chars

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.

NVDen

248 chars

OSV.deven

490 chars

### Impact Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. ### Patches This has been patched in v6.19.2. ### Workarounds There are no known workaround. ### References https://github.com/nodejs/undici/issues/3337 https://github.com/nodejs/undici/issues/3328 https://github.com/nodejs/undici/pull/3338 https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36

GHSAen

490 chars

NVDes

262 chars

Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Dependiendo de las condiciones de la red y del proceso de una solicitud `fetch()`, `response.arrayBuffer()` podría incluir parte de la memoria del proceso Node.js. Esto ha sido parcheado en v6.19.2.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	2.0	—	—	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
3.1	Primary	cve.org	2.0	—	—	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
3.1	Secondary	NVD	2.0	0.5	1.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
3.1	Secondary	GHSA	2.0	—	—	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
4.0	Secondary	GHSA	2.0	—	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N