CVE-2024-38372: Undici vulnerable to data leak when using response.arrayBuffer()
Depending on network and process conditions of a fetch()
request, response.arrayBuffer()
might include portion of memory from the Node.js process.
References
- github.com/advisories/GHSA-3g92-w8c5-73pq
- github.com/nodejs/undici
- github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36
- github.com/nodejs/undici/issues/3328
- github.com/nodejs/undici/issues/3337
- github.com/nodejs/undici/pull/3338
- github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq
- nvd.nist.gov/vuln/detail/CVE-2024-38372
Detect and mitigate CVE-2024-38372 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →