Low severityNVD Advisory· Published Apr 4, 2024· Updated Nov 4, 2025
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
CVE-2024-30261
Description
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 5.28.4 | 5.28.4 |
undicinpm | >= 6.0.0, < 6.11.1 | 6.11.1 |
Affected products
14- ghsa-coords13 versionspkg:npm/undicipkg:rpm/opensuse/nodejs18&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/nodejs-electron&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/nodejs18&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5
< 5.28.4+ 12 more
- (no CPE)range: < 5.28.4
- (no CPE)range: < 18.20.1-150400.9.21.3
- (no CPE)range: < 20.12.1-150500.11.9.2
- (no CPE)range: < 28.2.10-3.1
- (no CPE)range: < 16.20.2-8.45.1
- (no CPE)range: < 18.20.1-150400.9.21.3
- (no CPE)range: < 18.20.1-150400.9.21.3
- (no CPE)range: < 18.20.1-8.21.1
- (no CPE)range: < 18.20.1-150400.9.21.3
- (no CPE)range: < 18.20.1-150400.9.21.3
- (no CPE)range: < 18.20.1-150400.9.21.3
- (no CPE)range: < 18.20.1-150400.9.21.3
- (no CPE)range: < 20.12.1-150500.11.9.2
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-9qxr-qj54-h672ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-30261ghsaADVISORY
- github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055ghsax_refsource_MISCWEB
- github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3ghsax_refsource_MISCWEB
- github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672ghsax_refsource_CONFIRMWEB
- hackerone.com/reports/2377760ghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67EghsaWEB
- security.netapp.com/advisory/ntap-20240905-0008ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/mitre
News mentions
0No linked articles in our index yet.