First published: Thu Apr 04 2024(Updated: )
### Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered. ### Patches Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds Ensure that `integrity` cannot be tampered with. ### References https://hackerone.com/reports/2377760
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/undici | >=6.0.0<6.11.1 | 6.11.1 |
npm/undici | <5.28.4 | 5.28.4 |
IBM Cloud Pak for Security | <=1.10.0.0 - 1.10.11.0 | |
IBM QRadar Suite Software | <=1.10.12.0 - 1.10.23.0 | |
Nodejs Undici | <5.28.4 | |
Nodejs Undici | >=6.0.0<6.11.1 | |
Fedoraproject Fedora | =38 | |
Fedoraproject Fedora | =39 | |
Fedoraproject Fedora | =40 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.