cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon coveo

chore(deps): update dependency undici to v5.28.5 [security] j:cdx-227

Open renovate[bot] opened this issue 1 year ago • 2 comments

This PR contains the following updates:

Package Type Update Change
undici (source) devDependencies patch 5.28.3 -> 5.28.5

GitHub Vulnerability Alerts

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

  • https://fetch.spec.whatwg.org/#authentication-entries
  • https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g

CVE-2024-30261

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

CVE-2024-30260

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

  • https://hackerone.com/reports/2408074
  • https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

  • https://hackerone.com/reports/2913312
  • https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

Release Notes

nodejs/undici (undici)

v5.28.5

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5

v5.28.4

Compare Source

:warning: Security Release :warning:

  • Fixes https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
  • Fixes https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

renovate[bot] avatar Apr 04 '24 18:04 renovate[bot]

Thanks for your contribution @renovate[bot] ! When your pull-request is ready to be merged, check the box below to merge it

  • [ ] Merge! :shipit:

github-actions[bot] avatar Apr 04 '24 18:04 github-actions[bot]

Pull Request Report

PR Title

:white_check_mark: Title follows the conventional commit spec.

github-actions[bot] avatar Apr 04 '24 18:04 github-actions[bot]