#VU93884 Memory leak in undici - CVE-2024-38372

Cybersecurity Help s.r.o.

Published: 2024-07-09

Vulnerability identifier: #VU93884

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-38372

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
undici
Server applications / File servers (FTP/HTTP)

Vendor: Node.js

Description
The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due memory leak when using the response.arrayBuffer(). A remote attacker can force the application to leak parts of Node.js process memory.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

undici: 6.14.0 - 6.19.1

External links
https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq
https://github.com/nodejs/undici/issues/3328
https://github.com/nodejs/undici/issues/3337
https://github.com/nodejs/undici/pull/3338
https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cognos Dashboards on Cloud Pak for Data

Memory leak in App Connect Enterprise Certified Container

Information disclosure in undici