Moderate severityNVD Advisory· Published Feb 16, 2024· Updated Feb 13, 2025
Backpressure request ignored in fetch() in Undici
CVE-2024-24750
Description
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | >= 6.0.0, < 6.6.1 | 6.6.1 |
Affected products
1Patches
187a48113f1f6Merge pull request from GHSA-9f24-jqhm-jfcw
2 files changed · +59 −3
lib/fetch/index.js+6 −3 modified@@ -1099,10 +1099,10 @@ function fetchFinale (fetchParams, response) { const byteStream = new ReadableStream({ readableStream: transformStream.readable, - async start (controller) { + async pull (controller) { const reader = this.readableStream.getReader() - while (true) { + while (controller.desiredSize >= 0) { const { done, value } = await reader.read() if (done) { @@ -1113,6 +1113,7 @@ function fetchFinale (fetchParams, response) { controller.enqueue(value) } }, + queuingStrategy: new ByteLengthQueuingStrategy({ highWaterMark: 16384 }), type: 'bytes' }) @@ -1927,6 +1928,7 @@ async function httpNetworkFetch ( // cancelAlgorithm set to cancelAlgorithm. const stream = new ReadableStream( { + highWaterMark: 16384, async start (controller) { fetchParams.controller.controller = controller }, @@ -1936,7 +1938,8 @@ async function httpNetworkFetch ( async cancel (reason) { await cancelAlgorithm(reason) }, - type: 'bytes' + type: 'bytes', + queuingStrategy: new ByteLengthQueuingStrategy({ highWaterMark: 16384 }) } )
test/fetch/pull-dont-push.js+53 −0 added@@ -0,0 +1,53 @@ +'use strict' + +const { test } = require('node:test') +const assert = require('node:assert') +const { fetch } = require('../..') +const { createServer } = require('http') +const { once } = require('events') +const { Readable, pipeline } = require('stream') +const { setTimeout: sleep } = require('timers/promises') + +const { closeServerAsPromise } = require('../utils/node-http') + +test('Allow the usage of custom implementation of AbortController', async (t) => { + let count = 0 + let socket + const server = createServer((req, res) => { + res.statusCode = 200 + socket = res.socket + + // infinite stream + const stream = new Readable({ + read () { + this.push('a') + if (count++ > 1000000) { + this.push(null) + } + } + }) + + pipeline(stream, res, () => {}) + }) + + t.after(closeServerAsPromise(server)) + + server.listen(0) + await once(server, 'listening') + + t.diagnostic('server listening on port %d', server.address().port) + const res = await fetch(`http://localhost:${server.address().port}`) + t.diagnostic('fetched') + + // Some time is needed to fill the buffer + await sleep(1000) + + assert.strictEqual(socket.bytesWritten < 1024 * 1024, true) // 1 MB + socket.destroy() + + // consume the stream + try { + /* eslint-disable-next-line no-empty, no-unused-vars */ + for await (const chunk of res.body) {} + } catch {} +})
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-9f24-jqhm-jfcwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24750ghsaADVISORY
- github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663ghsax_refsource_MISCWEB
- github.com/nodejs/undici/releases/tag/v6.6.1ghsaWEB
- github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcwghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20240419-0006ghsaWEB
- security.netapp.com/advisory/ntap-20240419-0006/mitre
News mentions
0No linked articles in our index yet.