[23] Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect #443

New issue

Closed

opened 2024-06-24 18:39:18 +01:00 by Helpdesk · 0 comments

Helpdesk commented 2024-06-24 18:39:18 +01:00

Member

Copy link

Package: undici (npm)
Affected versions: < 5.28.4
Patched version: 5.28.4

https://github.com/Vylpes/vylbot-app/security/dependabot/23

---

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been temptered.

Patches

Fixed in nodejs/undici.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tamptered with.

References

• https://hackerone.com/reports/2377760

Package: undici (npm) Affected versions: < 5.28.4 Patched version: 5.28.4 https://github.com/Vylpes/vylbot-app/security/dependabot/23 --- ## Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been temptered. ## Patches Fixed in [nodejs/undici](https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3). Fixes has been released in v5.28.4 and v6.11.1. ## Workarounds Ensure that `integrity` cannot be tamptered with. ## References - https://hackerone.com/reports/2377760

Helpdesk added the

type

alert

label 2024-06-24 18:39:18 +01:00

Vylpes added this to the (deleted) milestone 2024-06-24 18:48:35 +01:00

Vylpes closed this issue 2024-09-23 18:06:36 +01:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

renovate/node-22.x-lockfile

renovate/appleboy-ssh-action-1.x

feature/300-moon-set

develop

hotfix/3.2.4

renovate/minimatch-10.x

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.7

v3.0.6

v3.0.5

v3.1-alpha1

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0

v3.0-rc2

v3.0-rc1

v3.0-beta2

v3.0-beta1

v2.1.3

Labels

Clear labels   

blocked

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

needs criteria

  

needs estimate

  

needs testing

  

question

Further information is requested

  

type

admin

  

type

bug

Something isn't working

  

type

change

  

type

defect

A task that has fallen out of testing

  

type

dependencies

Pull requests that update a dependency file

  

type

documentation

Improvements or additions to documentation

  

type

epic

  

type

incident

  

type

investigation

  

type

spike

  

type

story

  

type

subtask

  

wontfix

This will not be worked on

  

blocked

  

duplicate

  

needs criteria

  

needs designs

  

needs estimate

  

needs testing

  

question

  

type

admin

  

type

alert

  

type

bug

  

type

defect

  

type

dependencies

  

type

design

  

type

documentation

  

type

epic

  

type

incident

  

type

investigation

  

type

spike

  

type

story

  

won't fix

No labels

blocked

duplicate

enhancement

good first issue

help wanted

invalid

needs criteria

needs estimate

needs testing

question

type

admin

type

bug

type

change

type

defect

type

dependencies

type

documentation

type

epic

type

incident

type

investigation

type

spike

type

story

type

subtask

wontfix

blocked

duplicate

needs criteria

needs designs

needs estimate

needs testing

question

type

admin

type

alert

type

bug

type

defect

type

dependencies

type

design

type

documentation

type

epic

type

incident

type

investigation

type

spike

type

story

won't fix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: RabbitLabs/vylbot-app#443

No description provided.