CVE-2024-24750: Uncontrolled Resource Consumption

February 16, 2024

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

References

github.com/advisories/GHSA-9f24-jqhm-jfcw
github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663
github.com/nodejs/undici/releases/tag/v6.6.1
github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw

Detect and mitigate CVE-2024-24750 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →