{"url":"http://public2.vulnerablecode.io/api/packages/68976?format=json","purl":"pkg:npm/undici@6.0.0","type":"npm","namespace":"","name":"undici","version":"6.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.6.1","latest_non_vulnerable_version":"7.18.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47405?format=json","vulnerability_id":"VCID-7axr-j2xk-cugt","summary":"Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.","references":[{"reference_url":"https://github.com/nodejs/undici","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici"},{"reference_url":"https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"},{"reference_url":"https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"},{"reference_url":"https://hackerone.com/reports/2377760","reference_id":"","reference_type":"","scores":[],"url":"https://hackerone.com/reports/2377760"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240905-0008","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240905-0008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30261","reference_id":"CVE-2024-30261","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30261"},{"reference_url":"https://github.com/advisories/GHSA-9qxr-qj54-h672","reference_id":"GHSA-9qxr-qj54-h672","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9qxr-qj54-h672"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672","reference_id":"GHSA-9qxr-qj54-h672","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69652?format=json","purl":"pkg:npm/undici@6.11.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1"}],"aliases":["CVE-2024-30261","GHSA-9qxr-qj54-h672"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7axr-j2xk-cugt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47024?format=json","vulnerability_id":"VCID-gtpw-gdtw-y3an","summary":"Uncontrolled Resource Consumption\nUndici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.","references":[{"reference_url":"https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663"},{"reference_url":"https://github.com/nodejs/undici/releases/tag/v6.6.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/releases/tag/v6.6.1"},{"reference_url":"https://github.com/advisories/GHSA-9f24-jqhm-jfcw","reference_id":"GHSA-9f24-jqhm-jfcw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9f24-jqhm-jfcw"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw","reference_id":"GHSA-9f24-jqhm-jfcw","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68978?format=json","purl":"pkg:npm/undici@6.6.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1"}],"aliases":["CVE-2024-24750","GHSA-9f24-jqhm-jfcw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gtpw-gdtw-y3an"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47404?format=json","vulnerability_id":"VCID-kqg3-sar6-b7em","summary":"Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline\nUndici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.","references":[{"reference_url":"https://github.com/nodejs/undici","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici"},{"reference_url":"https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"},{"reference_url":"https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"},{"reference_url":"https://hackerone.com/reports/2408074","reference_id":"","reference_type":"","scores":[],"url":"https://hackerone.com/reports/2408074"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240905-0008","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240905-0008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30260","reference_id":"CVE-2024-30260","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30260"},{"reference_url":"https://github.com/advisories/GHSA-m4v8-wqvr-p9f7","reference_id":"GHSA-m4v8-wqvr-p9f7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m4v8-wqvr-p9f7"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7","reference_id":"GHSA-m4v8-wqvr-p9f7","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69652?format=json","purl":"pkg:npm/undici@6.11.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1"}],"aliases":["CVE-2024-30260","GHSA-m4v8-wqvr-p9f7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kqg3-sar6-b7em"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47025?format=json","vulnerability_id":"VCID-p6ay-wzxh-qugg","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nUndici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but does not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef"},{"reference_url":"https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458"},{"reference_url":"https://github.com/nodejs/undici/releases/tag/v5.28.3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/releases/tag/v5.28.3"},{"reference_url":"https://github.com/nodejs/undici/releases/tag/v6.6.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/releases/tag/v6.6.1"},{"reference_url":"https://github.com/advisories/GHSA-3787-6prv-h9w3","reference_id":"GHSA-3787-6prv-h9w3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3787-6prv-h9w3"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3","reference_id":"GHSA-3787-6prv-h9w3","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68978?format=json","purl":"pkg:npm/undici@6.6.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1"}],"aliases":["CVE-2024-24758","GHSA-3787-6prv-h9w3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p6ay-wzxh-qugg"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.0.0"}