CVE-2024-38375: @fastly/js-compute has a use-after-free in some host call implementations

The implementation of the following functions were determined to include a use-after-free bug:

  • FetchEvent.client.tlsCipherOpensslName
  • FetchEvent.client.tlsProtocol
  • FetchEvent.client.tlsClientCertificate
  • FetchEvent.client.tlsJA3MD5
  • FetchEvent.client.tlsClientHello
  • CacheEntry.prototype.userMetadata of the fastly:cache subsystem
  • Device.lookup of the fastly:device subsystem

This bug could allow for an unintended data leak if the result of the preceding functions were sent anywhere else, and often results in a Compute service crash causing an HTTP 500 error to be returned. As all requests to Compute are isolated from one another, the only data at risk is data present for a single request.

References

Code Behaviors & Features

Detect and mitigate CVE-2024-38375 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →