undici-5.20.0.tgz: 5 vulnerabilities (highest severity is: 6.8)

[mend-bolt-for-github]

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (undici version)	Remediation Possible**
CVE-2025-22150	Medium	6.8	undici-5.20.0.tgz	Direct	undici - 5.28.5,6.21.1,7.2.3	❌
CVE-2024-30260	Low	3.9	undici-5.20.0.tgz	Direct	undici - 5.28.4,6.11.1	❌
CVE-2024-24758	Low	3.9	undici-5.20.0.tgz	Direct	5.28.3	❌
CVE-2023-45143	Low	3.9	undici-5.20.0.tgz	Direct	5.26.2	❌
CVE-2024-30261	Low	2.6	undici-5.20.0.tgz	Direct	undici - 5.28.4,6.11.1	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-22150

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ undici-5.20.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses "Math.random()" to choose the boundary for a multipart/form-data request. It is known that the output of "Math.random()" can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.

Publish Date: 2025-01-21

URL: CVE-2025-22150

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c76h-2ccp-4975

Release Date: 2025-01-21

Fix Resolution: undici - 5.28.5,6.21.1,7.2.3

Step up your Open Source Security Game with Mend here

CVE-2024-30260

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ undici-5.20.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Publish Date: 2024-04-04

URL: CVE-2024-30260

CVSS 3 Score Details (3.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m4v8-wqvr-p9f7

Release Date: 2024-04-04

Fix Resolution: undici - 5.28.4,6.11.1

Step up your Open Source Security Game with Mend here

CVE-2024-24758

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ undici-5.20.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-02-16

URL: CVE-2024-24758

CVSS 3 Score Details (3.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-24758

Release Date: 2024-02-16

Fix Resolution: 5.28.3

Step up your Open Source Security Game with Mend here

CVE-2023-45143

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ undici-5.20.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Publish Date: 2023-10-12

URL: CVE-2023-45143

CVSS 3 Score Details (3.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wqq4-5wpv-mx2g

Release Date: 2023-10-12

Fix Resolution: 5.26.2

Step up your Open Source Security Game with Mend here

CVE-2024-30261

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ undici-5.20.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Publish Date: 2024-04-04

URL: CVE-2024-30261

CVSS 3 Score Details (2.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9qxr-qj54-h672

Release Date: 2024-04-04

Fix Resolution: undici - 5.28.4,6.11.1

Step up your Open Source Security Game with Mend here