[NPM:GHSA-3G92-W8C5-73PQ] Undici vulnerable to data leak when using response.arrayBuffer()

Severity Low
Affected Packages 1
Fixed Packages 1
CVEs 1

Impact

Depending on network and process conditions of a fetch() request, response.arrayBuffer() might include portion of memory from the Node.js process.

Patches

This has been patched in v6.19.2.

Workarounds

There are no known workaround.

References

https://github.com/nodejs/undici/issues/3337
https://github.com/nodejs/undici/issues/3328
https://github.com/nodejs/undici/pull/3338
https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36

Package Affected Version
pkg:npm/undici >= 6.14.0, < 6.19.2
Package Fixed Version
pkg:npm/undici = 6.19.2
ID
NPM:GHSA-3G92-W8C5-73PQ
Severity
low
URL
https://github.com/advisories/GHSA-3g92-w8c5-73pq
Published
2024-07-09T13:32:30
(4 days ago)
Modified
2024-07-09T13:32:38
(4 days ago)
Rights
NPM Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:npm/undici undici >= 6.14.0 < 6.19.2
Fixed pkg:npm/undici undici = 6.19.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date
Loading...