fetch(url) leads to a memory leak in undici · CVE-2024-24750 · GitHub Advisory Database · GitHub

fetch(url) leads to a memory leak in undici

Moderate severity GitHub Reviewed Published Feb 16, 2024 in nodejs/undici • Updated Apr 19, 2024

Package

undici (npm)

Affected versions

>= 6.0.0, <= 6.6.0

Patched versions

6.6.1

Description

Impact

Calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak.

Patches

Patched in v6.6.1

Workarounds

Make sure to always consume the incoming body.

References

mcollina published to nodejs/undici

Feb 16, 2024

Published to the GitHub Advisory Database Feb 16, 2024

Reviewed Feb 16, 2024

Published by the National Vulnerability Database

Feb 16, 2024

Last updated Apr 19, 2024

Severity

Moderate

6.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H