GHSA-9qxr-qj54-h672

Опубликовано: 04 апр. 2024

Источник: github

Github: Прошло ревью

CVSS3: 2.6

Описание

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

Ссылки

Пакеты

Наименование

undici

npm

Затронутые версииВерсия исправления

< 5.28.4

5.28.4

Наименование

undici

npm

Затронутые версииВерсия исправления

>= 6.0.0, < 6.11.1

6.11.1

EPSS

Процентиль: 24%

0.00081

Низкий

2.6 Low

CVSS3

CVE ID

CVE-2024-30261

Дефекты

CWE-284

Связанные уязвимости

CVE-2024-30261

CVSS3: 2.6

ubuntu

почти 2 года назад

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.