Medium severity5.3NVD Advisory· Published Jun 26, 2024· Updated Apr 15, 2026
CVE-2024-38375
CVE-2024-38375
Description
@fastly/js-compute is a JavaScript SDK and runtime for building Fastly Compute applications. The implementation of several functions were determined to include a use-after-free bug. This bug could allow for unintended data loss if the result of the preceding functions were sent anywhere else, and often results in a guest trap causing services to return a 500. This bug has been fixed in version 3.16.0 of the @fastly/js-compute package.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@fastly/js-computenpm | >= 3.0.0, < 3.16.0 | 3.16.0 |
Patches
14e16641ef4e1fix: Fix uses of cabi_realloc that were discarding their results (#811)
2 files changed · +16 −16
runtime/fastly/host-api/component/fastly_world_adapter.cpp+8 −8 modified@@ -210,7 +210,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_cipher_openssl_name( auto status = fastly::req_downstream_tls_cipher_openssl_name(reinterpret_cast<char *>(ret->ptr), default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_cipher_openssl_name(reinterpret_cast<char *>(ret->ptr), ret->len, &ret->len); } @@ -224,7 +224,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_protocol( auto status = fastly::req_downstream_tls_protocol(reinterpret_cast<char *>(ret->ptr), default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_protocol(reinterpret_cast<char *>(ret->ptr), ret->len, &ret->len); } @@ -238,7 +238,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_raw_client_certificate( auto status = fastly::req_downstream_tls_raw_client_certificate(ret->ptr, default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_raw_client_certificate(ret->ptr, ret->len, &ret->len); } return convert_result(status, err); @@ -250,7 +250,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_ja3_md5( ret->ptr = static_cast<uint8_t *>(cabi_malloc(default_size, 4)); auto status = fastly::req_downstream_tls_ja3_md5(ret->ptr, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_ja3_md5(ret->ptr, &ret->len); } return convert_result(status, err); @@ -261,7 +261,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_client_hello( ret->ptr = static_cast<uint8_t *>(cabi_malloc(default_size, 4)); auto status = fastly::req_downstream_tls_client_hello(ret->ptr, default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_client_hello(ret->ptr, ret->len, &ret->len); } return convert_result(status, err); @@ -1243,7 +1243,7 @@ bool fastly_compute_at_edge_cache_get_user_metadata(fastly_compute_at_edge_cache auto status = fastly::cache_get_user_metadata(handle, reinterpret_cast<char *>(ret->ptr), default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::cache_get_user_metadata(handle, reinterpret_cast<char *>(ret->ptr), ret->len, &ret->len); } @@ -1387,10 +1387,10 @@ bool fastly_compute_at_edge_device_detection_lookup( fastly::device_detection_lookup(reinterpret_cast<char *>(user_agent->ptr), user_agent->len, reinterpret_cast<char *>(ret->ptr), default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::device_detection_lookup(reinterpret_cast<char *>(user_agent->ptr), user_agent->len, reinterpret_cast<char *>(ret->ptr), ret->len, &ret->len); } return convert_result(status, err); -} \ No newline at end of file +}
runtime/js-compute-runtime/host_interface/component/fastly_world_adapter.cpp+8 −8 modified@@ -210,7 +210,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_cipher_openssl_name( auto status = fastly::req_downstream_tls_cipher_openssl_name(reinterpret_cast<char *>(ret->ptr), default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_cipher_openssl_name(reinterpret_cast<char *>(ret->ptr), ret->len, &ret->len); } @@ -224,7 +224,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_protocol( auto status = fastly::req_downstream_tls_protocol(reinterpret_cast<char *>(ret->ptr), default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_protocol(reinterpret_cast<char *>(ret->ptr), ret->len, &ret->len); } @@ -238,7 +238,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_raw_client_certificate( auto status = fastly::req_downstream_tls_raw_client_certificate(ret->ptr, default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_raw_client_certificate(ret->ptr, ret->len, &ret->len); } return convert_result(status, err); @@ -250,7 +250,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_ja3_md5( ret->ptr = static_cast<uint8_t *>(cabi_malloc(default_size, 4)); auto status = fastly::req_downstream_tls_ja3_md5(ret->ptr, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_ja3_md5(ret->ptr, &ret->len); } return convert_result(status, err); @@ -261,7 +261,7 @@ bool fastly_compute_at_edge_http_req_downstream_tls_client_hello( ret->ptr = static_cast<uint8_t *>(cabi_malloc(default_size, 4)); auto status = fastly::req_downstream_tls_client_hello(ret->ptr, default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::req_downstream_tls_client_hello(ret->ptr, ret->len, &ret->len); } return convert_result(status, err); @@ -1243,7 +1243,7 @@ bool fastly_compute_at_edge_cache_get_user_metadata(fastly_compute_at_edge_cache auto status = fastly::cache_get_user_metadata(handle, reinterpret_cast<char *>(ret->ptr), default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::cache_get_user_metadata(handle, reinterpret_cast<char *>(ret->ptr), ret->len, &ret->len); } @@ -1387,10 +1387,10 @@ bool fastly_compute_at_edge_device_detection_lookup( fastly::device_detection_lookup(reinterpret_cast<char *>(user_agent->ptr), user_agent->len, reinterpret_cast<char *>(ret->ptr), default_size, &ret->len); if (status == FASTLY_COMPUTE_AT_EDGE_TYPES_ERROR_BUFFER_LEN) { - cabi_realloc(ret->ptr, default_size, 4, ret->len); + ret->ptr = static_cast<uint8_t *>(cabi_realloc(ret->ptr, default_size, 4, ret->len)); status = fastly::device_detection_lookup(reinterpret_cast<char *>(user_agent->ptr), user_agent->len, reinterpret_cast<char *>(ret->ptr), ret->len, &ret->len); } return convert_result(status, err); -} \ No newline at end of file +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.