SB2024022211 - Multiple vulnerabilities in Undici for Node.js
Published: February 22, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2024-24750)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when fetching external URLs. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
2) Information disclosure (CVE-ID: CVE-2024-24758)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the application does not clear the Proxy-Authentication HTTP header when handling cross-origin redirects. A remote attacker can gain access to sensitive information.
Remediation
Install update from vendor's website.
References
- https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw
- https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663
- https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
- https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef