Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-3g92-w8c5-73pq

GitHub Security Advisory

Undici vulnerable to data leak when using response.arrayBuffer()

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

### Impact

Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process.

### Patches

This has been patched in v6.19.2.

### Workarounds

There are no known workaround.

### References

https://github.com/nodejs/undici/issues/3337
https://github.com/nodejs/undici/issues/3328
https://github.com/nodejs/undici/pull/3338
https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36

Affected Packages

npm undici
Affected versions: 6.14.0 (fixed in 6.19.2)

Related CVEs

CVE-2024-38372

Key Information

GHSA ID
GHSA-3g92-w8c5-73pq
Published
July 9, 2024 1:32 PM
Last Modified
July 9, 2024 1:32 PM
CVSS Score
2.5 /10
Primary Ecosystem
npm
Primary Package
undici
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.