CVE-2024-30261 Information

Description

Undici is an HTTP/1.1 client written from scratch for Node.js. An attacker can alter the integrity option passed to fetch() allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Reference

https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672 https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055 https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3 https://hackerone.com/reports/2377760