CVE-2024-38372 LOW

CVE-2024-38372: Undici vulnerable to data leak when using response.arrayBuffer()

Vendor Nodejs
Product undici
Weakness CWE-201
Published July 8, 2024
Last update August 28, 2024

CVSS base score

2.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.

Key dates

02Disclosure timeline

July 8, 2024 CVE published
August 28, 2024 Record updated

Related vulnerabilities

04Related CVE