Home > Vulnerability Database > CVE-2024-30261

Mend.io Vulnerability Database

CVE-2024-30261

Good to know:

Date: April 4, 2024

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the "integrity" option passed to "fetch()", allowing "fetch()" to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Language: JS

Severity Score

2.6

Related Resources (14)

Url: https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3

Url: https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672

Url: https://security-tracker.debian.org/tracker/CVE-2024-30261

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-30261

Url: https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/

Url: https://hackerone.com/reports/2377760

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/

Url: https://github.com/nodejs/undici

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E

Url: https://www.mend.io/vulnerability-database/CVE-2024-30261

Severity Score

2.6

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version undici - 6.11.1;undici - 5.28.4

Learn More

CVSS v3.1

Base Score:	2.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-30261

Good to know:

Date: April 4, 2024

Language: JS

Severity Score

Related Resources (14)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?