{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24750", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-29T20:51:26.009Z", "datePublished": "2024-02-16T21:42:29.999Z", "dateUpdated": "2025-02-13T17:40:21.089Z"}, "containers": {"cna": {"title": "Backpressure request ignored in fetch() in Undici", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"}, {"name": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663"}, {"url": "https://security.netapp.com/advisory/ntap-20240419-0006/"}], "affected": [{"vendor": "nodejs", "product": "undici", "versions": [{"version": ">= 6.0.0, < 6.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-19T07:06:03.993Z"}, "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body."}], "source": {"advisory": "GHSA-9f24-jqhm-jfcw", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "nodejs", "product": "undici", "cpes": ["cpe:2.3:a:nodejs:undici:6.0.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.0.0", "status": "affected", "lessThan": "6.6.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-21T19:30:24.448932Z", "id": "CVE-2024-24750", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-25T16:45:31.786Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.823Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"}, {"name": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663"}, {"url": "https://security.netapp.com/advisory/ntap-20240419-0006/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "name": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "name": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240419-0006/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.823Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24750", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-21T19:30:24.448932Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nodejs:undici:6.0.0:*:*:*:*:*:*:*"], "vendor": "nodejs", "product": "undici", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.6.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-25T16:45:27.188Z"}}], "cna": {"title": "Backpressure request ignored in fetch() in Undici", "source": {"advisory": "GHSA-9f24-jqhm-jfcw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nodejs", "product": "undici", "versions": [{"status": "affected", "version": ">= 6.0.0, < 6.6.1"}]}], "references": [{"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "name": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "name": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20240419-0006/"}], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-19T07:06:03.993Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24750", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:40:21.089Z", "dateReserved": "2024-01-29T20:51:26.009Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-16T21:42:29.999Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "86BD557D-23A2-411A-80E5-D0F212737103", "versionEndExcluding": "6.6.1", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body."}, {"lang": "es", "value": "Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. En las versiones afectadas, llamar a `fetch(url)` y no consumir el cuerpo entrante ((o consumirlo muy lentamente) provocar\u00e1 una p\u00e9rdida de memoria. Este problema se solucion\u00f3 en la versi\u00f3n 6.6.1. Se recomienda a los usuarios actualizar. Los usuarios no pueden Para actualizar debe asegurarse de consumir siempre el cuerpo entrante."}], "id": "CVE-2024-24750", "lastModified": "2024-12-17T17:40:47.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-16T22:15:07.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240419-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240419-0006/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "undici: memory leak", "id": "2264728", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264728"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.", "An uncontrolled resource consumption flaw was found in undici. Calling `fetch(url)` and not consuming the incoming body or consuming it very slowly leads to a memory leak."], "name": "CVE-2024-24750", "package_state": [{"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "undici", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/dashboard-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2024-02-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-24750\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-24750\nhttps://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"], "statement": "Users unable to upgrade should make sure to always consume the incoming body.", "threat_severity": "Moderate", "upstream_fix": "undici 6.6.1"}