CVE-2024-24750

EPSS 0.36%
Published 16.02.2024 22:15:07
Last modified 17.12.2024 17:40:47
Source security-advisories@github.com
Teams watchlist Login
Open Login

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

Affected products Warnungen 0 Metrics 3 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

Nodejs ≫ Undici SwPlatformnode.js Version >= 6.0.0 < 6.6.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.36%	0.571

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663

Patch

https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240419-0006/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-24750

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-24750

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-24750

EUVD