CVE-2024-24750 MEDIUM

CVE-2024-24750: Backpressure request ignored in fetch() in Undici

Vendor Nodejs
Product undici
Weakness CWE-400
Published February 16, 2024
Last update February 13, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

Key dates

02Disclosure timeline

February 16, 2024 CVE published
February 13, 2025 Record updated