CVE-2024-24750

Backpressure request ignored in fetch() in Undici

CVSS 6.5 MEDIUMEPSS 0.7%CWE-400

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected products

nodejs · undici

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663 https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw https://security.netapp.com/advisory/ntap-20240419-0006/