Bug 2273519 (CVE-2024-30261) - CVE-2024-30261 nodejs-undici: fetch() with integrity option is too lax when algorithm is specified but hash value is in incorrect
Summary: CVE-2024-30261 nodejs-undici: fetch() with integrity option is too lax when a...
Keywords:
Status: NEW
Alias: CVE-2024-30261
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2273521
Blocks: 2273518
TreeView+ depends on / blocked
 
Reported: 2024-04-04 20:02 UTC by Robb Gatica
Modified: 2024-04-19 07:43 UTC (History)
2 users (show)

Fixed In Version: unidici 5.28.4, undici 6.11.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the nodejs-undici package. This issue may allow an attacker to alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered with.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Robb Gatica 2024-04-04 20:02:32 UTC 
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
https://hackerone.com/reports/2377760
Comment 1 Robb Gatica 2024-04-04 20:06:37 UTC 
Created nodejs-undici tracking bugs for this issue:

Affects: fedora-all [bug 2273521]
Note You need to log in before you can comment on or make changes to this bug.