Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/68976?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/68976?format=api", "purl": "pkg:npm/undici@6.0.0", "type": "npm", "namespace": "", "name": "undici", "version": "6.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.6.1", "latest_non_vulnerable_version": "7.18.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47405?format=api", "vulnerability_id": "VCID-7axr-j2xk-cugt", "summary": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.", "references": [ { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055" }, { "reference_url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3" }, { "reference_url": "https://hackerone.com/reports/2377760", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/2377760" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240905-0008", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20240905-0008" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30261", "reference_id": "CVE-2024-30261", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30261" }, { "reference_url": "https://github.com/advisories/GHSA-9qxr-qj54-h672", "reference_id": "GHSA-9qxr-qj54-h672", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9qxr-qj54-h672" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", "reference_id": "GHSA-9qxr-qj54-h672", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69652?format=api", "purl": "pkg:npm/undici@6.11.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1" } ], "aliases": [ "CVE-2024-30261", "GHSA-9qxr-qj54-h672" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7axr-j2xk-cugt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47024?format=api", "vulnerability_id": "VCID-gtpw-gdtw-y3an", "summary": "Uncontrolled Resource Consumption\nUndici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.", "references": [ { "reference_url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663" }, { "reference_url": "https://github.com/nodejs/undici/releases/tag/v6.6.1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/releases/tag/v6.6.1" }, { "reference_url": "https://github.com/advisories/GHSA-9f24-jqhm-jfcw", "reference_id": "GHSA-9f24-jqhm-jfcw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9f24-jqhm-jfcw" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "reference_id": "GHSA-9f24-jqhm-jfcw", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68978?format=api", "purl": "pkg:npm/undici@6.6.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1" } ], "aliases": [ "CVE-2024-24750", "GHSA-9f24-jqhm-jfcw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gtpw-gdtw-y3an" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47404?format=api", "vulnerability_id": "VCID-kqg3-sar6-b7em", "summary": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline\nUndici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.", "references": [ { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f" }, { "reference_url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75" }, { "reference_url": "https://hackerone.com/reports/2408074", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/2408074" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240905-0008", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20240905-0008" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30260", "reference_id": "CVE-2024-30260", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30260" }, { "reference_url": "https://github.com/advisories/GHSA-m4v8-wqvr-p9f7", "reference_id": "GHSA-m4v8-wqvr-p9f7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m4v8-wqvr-p9f7" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", "reference_id": "GHSA-m4v8-wqvr-p9f7", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69652?format=api", "purl": "pkg:npm/undici@6.11.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1" } ], "aliases": [ "CVE-2024-30260", "GHSA-m4v8-wqvr-p9f7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kqg3-sar6-b7em" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47025?format=api", "vulnerability_id": "VCID-p6ay-wzxh-qugg", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nUndici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but does not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef" }, { "reference_url": "https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458" }, { "reference_url": "https://github.com/nodejs/undici/releases/tag/v5.28.3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/releases/tag/v5.28.3" }, { "reference_url": "https://github.com/nodejs/undici/releases/tag/v6.6.1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/releases/tag/v6.6.1" }, { "reference_url": "https://github.com/advisories/GHSA-3787-6prv-h9w3", "reference_id": "GHSA-3787-6prv-h9w3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3787-6prv-h9w3" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", "reference_id": "GHSA-3787-6prv-h9w3", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68978?format=api", "purl": "pkg:npm/undici@6.6.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1" } ], "aliases": [ "CVE-2024-24758", "GHSA-3787-6prv-h9w3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p6ay-wzxh-qugg" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.0.0" }