CVE-2024-30261 LOW

CVE-2024-30261: Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Vendor Nodejs
Product undici
Weakness CWE-284
Published April 4, 2024
Last update November 4, 2025

CVSS base score

2.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Key dates

02Disclosure timeline

April 4, 2024 CVE published
November 4, 2025 Record updated