CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
10.3%
undici is vulnerable to Improper Access Control. This vulnerability is due to insufficient validation of the integrity option passed to the fetch()
function. If an attacker can manipulate the integrity
option passed to the fetch()
method, the request will be accepted even if the request was tampered with.
github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
hackerone.com/reports/2377760
lists.fedoraproject.org/archives/list/[email protected]/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
lists.fedoraproject.org/archives/list/[email protected]/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/