External/card-drop
4
0
Fork 0
Code Issues 44 Pull requests 7 Projects 1 Releases 28 Packages Wiki Activity Actions

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect [LOW] [7] #197

New issue
Closed
opened 2024-04-08 15:19:08 +01:00 by Helpdesk · 0 comments
Helpdesk commented 2024-04-08 15:19:08 +01:00
Member
Copy link

Package: undici (npm)
Affected versions: < 5.28.4
Patched versions: 5.28.4

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tempered.

Patches

Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

Package: undici (npm) Affected versions: < 5.28.4 Patched versions: 5.28.4 --- ## Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tempered. ## Patches Fixes has been released in v5.28.4 and v6.11.1. ## Workarounds Ensure that `integrity` cannot be tampered with. ## References https://hackerone.com/reports/2377760
Helpdesk added the
type
dependencies
 label 2024-04-08 15:19:08 +01:00
Vylpes added this to the 0.7.0 milestone 2024-06-03 18:18:21 +01:00
Vylpes added this to the 0.7 Sprint 2 project 2024-06-16 15:43:21 +01:00
Vylpes self-assigned this 2024-06-16 15:43:38 +01:00
Vylpes started working 2024-06-18 18:19:44 +01:00
Vylpes stopped working 2024-06-18 18:22:05 +01:00
2 minutes 21 seconds
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
renovate/cron-3.x-lockfile
renovate/typescript-eslint-eslint-plugin-8.x-lockfile
renovate/node-22.x-lockfile
renovate/appleboy-ssh-action-1.x
develop
renovate/node-20.x-lockfile
renovate/jest-29.x-lockfile
hotfix/0.8.2
renovate/discord.js-14.x-lockfile
v0.8.2
v0.8.1
v0.8.0
v0.7.0
v0.6.4
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.2
v0.5.1
v0.5.0
v0.4.2
v0.4.1
v0.4.0
v0.3.1
v0.3.0
v0.2.1
v0.2.0
v0.1.8
v0.1.7
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
blocked

   
duplicate

   
needs criteria

   
needs estimate

   
needs testing

   
question

   
requires documentation
  
type
admin

  
type
alert

  
type
bug

  
type
change

  
type
defect

  
type
dependencies

  
type
epic

  
type
spike

  
type
story

  
type
subtask

  
won't fix
No labels
blocked
duplicate
needs criteria
needs estimate
needs testing
question
requires documentation
type
admin
type
alert
type
bug
type
change
type
defect
type
dependencies
type
epic
type
spike
type
story
type
subtask
won't fix
Milestone
Clear milestone
No items
No milestone
0.7.0
Projects
Clear projects
No items
No project
0.7 Sprint 2
Assignees
Clear assignees
No assignees
Vylpes
1 participant
Notifications
Total time spent: 2 minutes 21 seconds
Vylpes
2 minutes 21 seconds
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: External/card-drop#197
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?