*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Vulnerable Library - @verdaccio/proxy-6.0.0-6-next.28.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-24807
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability DetailsUndici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Publish Date: 2023-02-16
URL: CVE-2023-24807
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
CVE-2023-23936
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability DetailsUndici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
Publish Date: 2023-02-16
URL: CVE-2023-23936
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
CVE-2022-32210
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability Details`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
Publish Date: 2022-07-14
URL: CVE-2022-32210
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-pgw7-wx7w-2w33
Release Date: 2022-07-14
Fix Resolution: undici - 5.5.1
CVE-2022-35949
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability Detailsundici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.
Publish Date: 2022-08-12
URL: CVE-2022-35949
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949
Release Date: 2022-08-12
Fix Resolution: undici - 5.8.2
CVE-2022-35948
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability Detailsundici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
Publish Date: 2022-08-13
URL: CVE-2022-35948
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35948
Release Date: 2022-08-13
Fix Resolution: undici - 5.8.2
CVE-2022-31150
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability Detailsundici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
Publish Date: 2022-07-19
URL: CVE-2022-31150
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31150
Release Date: 2022-07-19
Fix Resolution: undici - 5.8.0
CVE-2022-25881
### Vulnerable Library - http-cache-semantics-4.1.0.tgzParses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - got-11.8.5.tgz - cacheable-request-7.0.2.tgz - :x: **http-cache-semantics-4.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability DetailsThis affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-rc47-6667-2j5j
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1
CVE-2024-30260
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability DetailsUndici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Publish Date: 2024-04-04
URL: CVE-2024-30260
### CVSS 3 Score Details (3.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
Release Date: 2024-04-04
Fix Resolution: undici - 5.28.4,6.11.1
CVE-2024-24758
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability DetailsUndici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-02-16
URL: CVE-2024-24758
### CVSS 3 Score Details (3.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-24758
Release Date: 2024-02-16
Fix Resolution: undici - 5.28.3,6.6.1
CVE-2023-45143
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability DetailsUndici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
Publish Date: 2023-10-12
URL: CVE-2023-45143
### CVSS 3 Score Details (3.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
Release Date: 2023-10-12
Fix Resolution: undici - 5.26.2
CVE-2022-31151
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability DetailsAuthorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).
Publish Date: 2022-07-20
URL: CVE-2022-31151
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
Release Date: 2022-07-20
Fix Resolution: undici - 5.8.0
CVE-2024-30261
### Vulnerable Library - undici-4.16.0.tgzAn HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-4.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - @verdaccio/proxy-6.0.0-6-next.28.tgz (Root Library) - :x: **undici-4.16.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6580df98f62d821bca93d2b0acd528447eafe22b
Found in base branch: master
### Vulnerability DetailsUndici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Publish Date: 2024-04-04
URL: CVE-2024-30261
### CVSS 3 Score Details (2.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
Release Date: 2024-04-04
Fix Resolution: undici - 5.28.4,6.11.1