| Name | CVE-2024-38372 |
| Description | Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-undici (PTS) | bookworm | 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 | fixed |
| bookworm (security) | 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 | fixed | |
| sid, trixie | 7.3.0+dfsg1+~cs24.12.11-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-undici | source | (unstable) | (not affected) |
- node-undici <not-affected> (Vulnerable code introduced later)
https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq
https://github.com/nodejs/undici/issues/3328
https://github.com/nodejs/undici/issues/3337
https://github.com/nodejs/undici/pull/3338
Introduced by: https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36 (v6.14.0)
Fixed by: https://github.com/nodejs/undici/commit/035524e71756f1f6e2f9886f3c7227394bdb5363 (v6.19.2)