Headline

GHSA-9qxr-qj54-h672: Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.

Ensure that integrity cannot be tampered with.

https://hackerone.com/reports/2377760

1 year ago

Undici’s fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Low severity GitHub Reviewed Published Apr 4, 2024 in nodejs/undici • Updated Apr 4, 2024

19 hours ago

19 hours ago

19 hours ago

3 days ago

3 days ago