Main Vulnerability Database Vulnerabilities #VU88178

#VU88178 Insufficient verification of data authenticity in undici - CVE-2024-30261

Published: April 5, 2024

Vulnerability identifier: #VU88178

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-30261

CWE-ID: CWE-345

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
undici

Software vendor:
Node.js

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the application does not verify authenticity of data. A remote attacker can alter the "integrity" option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered.

Remediation

Install updates from vendor's website.

External links

https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
https://hackerone.com/reports/2377760

#VU88178 Insufficient verification of data authenticity in undici - CVE-2024-30261

Description

Remediation

External links

Please verify you're human