LOW 2.6
GHSA-9qxr-qj54-h672
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
Details
### Impact
If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.
### Patches
Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.
### Workarounds
Ensure that `integrity` cannot be tampered with.
### References
https://hackerone.com/reports/2377760
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-30261 [ADVISORY]
- https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055 [WEB]
- https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3 [WEB]
- https://hackerone.com/reports/2377760 [WEB]
- https://github.com/nodejs/undici [PACKAGE]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E [WEB]
- https://security.netapp.com/advisory/ntap-20240905-0008 [WEB]