Base Score

LOW3.5

CVE-2024-30261

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateApr 04, 2024, 15:15

Affected Versions(2)

undici(npm)

Introduced0

Fixed5.28.4

LimitN/A

undici(npm)

Introduced6.0.0

Fixed6.11.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
undici(npm)	0	5.28.4	N/A
undici(npm)	6.0.0	6.11.1	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

3.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

LOW3.5

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

3.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE