Skip to content

Data leak when using response.arrayBuffer()

Low
mcollina published GHSA-3g92-w8c5-73pq Jul 8, 2024

Package

npm undici (npm)

Affected versions

>= v6.14.0 < v6.19.2

Patched versions

>= v6.19.2

Description

Impact

Depending on network and process conditions of a fetch() request, response.arrayBuffer() might include portion of memory from the Node.js process.

Patches

This has been patched in v6.19.2.

Workarounds

There are no known workaround.

References

#3337
#3328
#3338
f979ec3

Severity

Low
2.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2024-38372

Weaknesses

Credits