{"id":"UBUNTU-CVE-2024-38372","details":"Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.","modified":"2026-01-20T19:12:29.909393Z","published":"2024-07-08T21:15:00Z","upstream":["CVE-2024-38372"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-38372"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-38372"},{"type":"REPORT","url":"https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq"},{"type":"REPORT","url":"https://github.com/nodejs/undici/issues/3328"},{"type":"REPORT","url":"https://github.com/nodejs/undici/issues/3337"},{"type":"REPORT","url":"https://github.com/nodejs/undici/pull/3338"},{"type":"REPORT","url":"https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36"}],"affected":[{"package":{"name":"node-undici","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/node-undici@5.26.3+dfsg1+~cs23.10.12-2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.22.1+dfsg1+~cs20.10.10.2-1ubuntu1","5.26.3+dfsg1+~cs23.10.12-2"],"ecosystem_specific":{"binaries":[{"binary_name":"node-llhttp","binary_version":"9.1.3~5.26.3+dfsg1+~cs23.10.12-2"},{"binary_name":"node-undici","binary_version":"5.26.3+dfsg1+~cs23.10.12-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-38372.json"}},{"package":{"name":"node-undici","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/node-undici@7.3.0+dfsg1+~cs24.12.11-2?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["7.3.0+dfsg1+~cs24.12.11-1","7.3.0+dfsg1+~cs24.12.11-2"],"ecosystem_specific":{"binaries":[{"binary_name":"libllhttp-dev","binary_version":"9.2.1~7.3.0+dfsg1+~cs24.12.11-2"},{"binary_name":"libllhttp9.2","binary_version":"9.2.1~7.3.0+dfsg1+~cs24.12.11-2"},{"binary_name":"node-llhttp","binary_version":"9.2.1~7.3.0+dfsg1+~cs24.12.11-2"},{"binary_name":"node-undici","binary_version":"7.3.0+dfsg1+~cs24.12.11-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-38372.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}