Description
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.
References (3)
Core 3
Core References
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240419-0006/
Vendor Advisory x_refsource_confirm
https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw
Patch x_refsource_misc
https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663
Scores
CVSS v3
6.5
EPSS
0.0035
EPSS Percentile
57.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-401
CWE-400
Status
published
Products (2)
nodejs/undici
6.0.0 - 6.6.1
npm/undici
6.0.0 - 6.6.1npm
Published
Feb 16, 2024
Tracked Since
Feb 18, 2026