GHSA-9qxr-qj54-h672
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9qxr-qj54-h672
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-9qxr-qj54-h672/GHSA-9qxr-qj54-h672.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9qxr-qj54-h672
- Aliases
- Published
- 2024-04-04T14:20:54Z
- Modified
- 2024-04-20T00:31:52Z
- Severity
-
- 2.6 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
- Details
-
Impact
If an attacker can alter the
integrityoption passed tofetch(), they can letfetch()accept requests as valid even if they have been tampered.Patches
Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
Ensure that
integritycannot be tampered with.References
https://hackerone.com/reports/2377760
- References
-
- https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
- https://nvd.nist.gov/vuln/detail/CVE-2024-30261
- https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
- https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
- https://hackerone.com/reports/2377760
- https://github.com/nodejs/undici
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
Affected packages
npm / undici
Package
- Name
- undici
- View open source insights on deps.dev
- Purl
- pkg:npm/undici
npm / undici
Package
- Name
- undici
- View open source insights on deps.dev
- Purl
- pkg:npm/undici