Backpressure request ignored in fetch()

Moderate

mcollina published GHSA-9f24-jqhm-jfcw

Feb 16, 2024

Package

undici (npm)

Affected versions

>= 6.0.0 <= 6.6.0

Patched versions

6.6.1

Description

Impact

Calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak.

Patches

Patched in v6.6.1

Workarounds

Make sure to always consume the incoming body.

Severity

Moderate

6.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H