CVE-2024-24750
MEDIUMUndici 6.0.0-6.6.0 - Use-After-Free via Unconsumed Fetch Body
Title source: llmDescription
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.
References (3)
Core 3
Core References
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240419-0006/
Vendor Advisory x_refsource_confirm
https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw
Patch x_refsource_misc
https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663
Scores
CVSS v3
6.5
EPSS
0.0070
EPSS Percentile
48.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-400
CWE-401
Status
published
Products (2)
nodejs/undici
6.0.0 - 6.6.1
npm/undici
6.0.0 - 6.6.1npm
Published
Feb 16, 2024
Tracked Since
Feb 18, 2026