UBUNTU-CVE-2024-24750

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-24750

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-24750.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-24750

Upstream

CVE-2024-24750

Published

2024-02-16T22:15:00Z

Modified

2025-10-10T15:16:49Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

References

Affected packages

Ubuntu:24.04:LTS / node-undici

Package

Name: node-undici
Purl: pkg:deb/ubuntu/node-undici@5.26.3+dfsg1+~cs23.10.12-2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.22.1+dfsg1+~cs20.10.10.2-1ubuntu1

5.26.3+dfsg1+~cs23.10.12-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-llhttp",
            "binary_version": "9.1.3~5.26.3+dfsg1+~cs23.10.12-2"
        },
        {
            "binary_name": "node-undici",
            "binary_version": "5.26.3+dfsg1+~cs23.10.12-2"
        }
    ]
}

Ubuntu:25.10 / node-undici

Package

Name: node-undici
Purl: pkg:deb/ubuntu/node-undici@7.3.0+dfsg1+~cs24.12.11-2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.3.0+dfsg1+~cs24.12.11-1

7.3.0+dfsg1+~cs24.12.11-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libllhttp-dev",
            "binary_version": "9.2.1~7.3.0+dfsg1+~cs24.12.11-2"
        },
        {
            "binary_name": "libllhttp9.2",
            "binary_version": "9.2.1~7.3.0+dfsg1+~cs24.12.11-2"
        },
        {
            "binary_name": "node-llhttp",
            "binary_version": "9.2.1~7.3.0+dfsg1+~cs24.12.11-2"
        },
        {
            "binary_name": "node-undici",
            "binary_version": "7.3.0+dfsg1+~cs24.12.11-2"
        }
    ]
}

Ubuntu:25.04 / node-undici

Package

Name: node-undici
Purl: pkg:deb/ubuntu/node-undici@7.3.0+dfsg1+~cs24.12.11-1?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.28.4+dfsg1+~cs23.12.11-2

7.*

7.3.0+dfsg1+~cs24.12.11-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libllhttp-dev",
            "binary_version": "9.2.1~7.3.0+dfsg1+~cs24.12.11-1"
        },
        {
            "binary_name": "libllhttp9.2",
            "binary_version": "9.2.1~7.3.0+dfsg1+~cs24.12.11-1"
        },
        {
            "binary_name": "node-llhttp",
            "binary_version": "9.2.1~7.3.0+dfsg1+~cs24.12.11-1"
        },
        {
            "binary_name": "node-undici",
            "binary_version": "7.3.0+dfsg1+~cs24.12.11-1"
        }
    ]
}