CVE-2024-38372 Information

Description

Undici is an HTTP/1.1 client written from scratch for Node.js. Depending on network and process conditions of a fetch() request response.arrayBuffer() might include portion of memory from the Node.js process. This has been patched in v6.19.2.

Reference

https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq https://github.com/nodejs/undici/issues/3328 https://github.com/nodejs/undici/issues/3337 https://github.com/nodejs/undici/pull/3338 https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36