Описание
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 5.28.4+dfsg1+~cs23.12.11-2 |
| esm-apps/noble | needs-triage | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | DNE | |
| mantic | ignored | end of life, was needs-triage |
| noble | needs-triage | |
| oracular | ignored | end of life, was needs-triage |
| plucky | not-affected | 5.28.4+dfsg1+~cs23.12.11-2 |
| questing | not-affected | 5.28.4+dfsg1+~cs23.12.11-2 |
Показывать по
Ссылки на источники
EPSS
2.6 Low
CVSS3
Связанные уязвимости
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Undici is an HTTP/1.1 client, written from scratch for Node.js. An att ...
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
EPSS
2.6 Low
CVSS3