Memory Leak in Undici HTTP/1.1 Client Affects Users, Upgrade to 6.6.1 Advised
CVE-2024-24750

6.5MEDIUM

Key Information:

Vendor: Nodejs
Status: Undici
Vendor: CVE Published:; 16 February 2024

What is CVE-2024-24750?

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

Affected Version(s)

undici >= 6.0.0, < 6.6.1

References

https://github.com/nodejs/undici/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/nodejs/undici/commit/87a48113f1f68f60a...

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20240419-0006/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 16, 2024
Vulnerability Reserved
Jan 29, 2024

Nodejs

What is CVE-2024-24750?

Affected Version(s)

References

CVSS V3.1

Timeline