CVE-2024-30261

LOW EPSS 52.1%
Published Apr 4, 20242y ago · Modified Jun 17, 20261w ago
3.5 CVSS 3.1
Low
Find Similar
Published Apr 4, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CVSS Details

Base Score
3.5
Exploitability
2.1
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
52.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-284

Affected Products 5

VendorProductVersionRange
nodejsundici* <5.28.4
nodejsundici*≥6.0.0  –  <6.11.1
fedoraprojectfedora38any
fedoraprojectfedora39any
fedoraprojectfedora40any

References 8

  • github.com https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
    Patch
  • github.com https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
    Patch
  • github.com https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
    Vendor Advisory
  • hackerone.com https://hackerone.com/reports/2377760
    ExploitIssue Tracking
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
    Product
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
    Product
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
    Product
  • security.netapp.com https://security.netapp.com/advisory/ntap-20240905-0008/

Remediation

  • github.com https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
    Patch
  • github.com https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
    Patch