Skip to content

CVE: 2024-24750 in undici #44

New issue
New issue
Open
Open
CVE: 2024-24750 in undici#44
@mattcollier

Description

@mattcollier
mattcollier
opened on Feb 21, 2024

The undici team asserts that this CVE only affects versions >= 6.0.0 and that the v5.x release is not impacted.

nodejs/undici#2789

If this is true, then the PR here that upgrades undici from v5 to v6 is not required to address this CVE.

#42

Some vulnerability scanning tools (e.g. Veracode) rely on NVD as the source of truth wrt assessing impacted versions. This CVE is currently "Awaiting Analysis" at NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-24750

We will continue testing the undici v6 upgrade while NVD performs their analysis.

20240306 - Still waiting analysis.
20240311 - Still waiting analysis.
20240319 - Still waiting analysis.
20240327 - Still waiting analysis.
20240703 - Still waiting analysis.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions