CVE-2024-38372
LOWundici >=6.14.0 <6.19.2 - Information Exposure via response.arrayBuffer()
Title source: llmDescription
Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
References (6)
Core 6
Core References
Patch x_refsource_misc
https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36
Issue Tracking x_refsource_misc
https://github.com/nodejs/undici/pull/3338
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240828-0009/
Vendor Advisory x_refsource_confirm
https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq
Issue Tracking x_refsource_misc
https://github.com/nodejs/undici/issues/3328
Issue Tracking x_refsource_misc
https://github.com/nodejs/undici/issues/3337
Scores
CVSS v3
2.0
EPSS
0.0044
EPSS Percentile
35.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-201
Status
published
Products (2)
nodejs/undici
>= 6.14.0, < 6.19.2
npm/undici
6.14.0 - 6.19.2npm
Published
Jul 08, 2024
Tracked Since
Feb 18, 2026