Все бюллетени/c10f2/ALT-PU-2025-2017-6
ALT-PU-2025-2017-6

Обновление пакета node в ветке c10f2

Версия16.20.3-alt1
Задание#371827
Опубликовано2026-02-04
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (14)

BDU:2023-07356
LOW3.5

Уязвимость клиента HTTP/1.1 undici программной платформы Node.js, позволяющая нарушителю раскрыть защищаемую информацию

Опубликовано: 2023-11-01Изменено: 2024-09-23
CVSS 3.xНИЗКАЯ 3.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CVSS 2.0СРЕДНЯЯ 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
Ссылки
BDU:2024-02689
MEDIUM5.3

Уязвимость функции node::http2::Http2Session::~Http2Session() HTTP/2-сервера программной платформы Node.js, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2024-04-06Изменено: 2026-03-04
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
Ссылки
BDU:2024-02798
HIGH7.5

Уязвимость HTTP-сервера программной платформы Node.js, позволяющая нарушителю обойти ограничения безопасности и вызвать отказ в обслуживании

Опубликовано: 2024-04-10Изменено: 2026-03-04
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
Ссылки
BDU:2024-02800
LOW3.9

Уязвимость клиента HTTP/1.1 Undici программной платформы Node.js, связанная с недостаточной защитой служебных данных в результате некорректной очистки заголовков Proxy-Authentication, позволяющая нарушителю повысить свои привилегии

Опубликовано: 2024-04-10Изменено: 2025-04-29
CVSS 3.xНИЗКАЯ 3.9
CVSS:3.x/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
CVSS 2.0СРЕДНЯЯ 5.1
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P
Ссылки
BDU:2024-03125
MEDIUM6.1

Уязвимость программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Опубликовано: 2024-04-22Изменено: 2026-03-04
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0СРЕДНЯЯ 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
Ссылки
CVE-2023-45143
LOW3.5

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Опубликовано: 2023-10-12Изменено: 2024-11-21
CVSS 3.xНИЗКАЯ 3.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Ссылки
CVE-2024-22019
HIGH7.5

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

Опубликовано: 2024-02-20Изменено: 2025-11-04
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2024-24758
MEDIUM4.5

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Опубликовано: 2024-02-16Изменено: 2024-12-17
CVSS 3.xСРЕДНЯЯ 4.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Ссылки
CVE-2024-27982
MEDIUM6.5

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Опубликовано: 2024-05-07Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Ссылки
CVE-2024-27983
HIGH8.2

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Опубликовано: 2024-04-09Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 8.2
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Ссылки
CVE-2025-22150
MEDIUM6.8

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.

Опубликовано: 2025-01-21Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 6.8
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Ссылки
GHSA-3787-6prv-h9w3
LOW3.9

Undici proxy-authorization header not cleared on cross-origin redirect in fetch

Опубликовано: 2024-02-16Изменено: 2024-05-02
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Ссылки
GHSA-c76h-2ccp-4975
MEDIUM6.8

Use of Insufficiently Random Values in undici

Опубликовано: 2025-01-22
CVSS 3.xСРЕДНЯЯ 6.8
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Ссылки
GHSA-wqq4-5wpv-mx2g
LOW3.9

Undici's cookie header not cleared on cross-origin redirect in fetch

Опубликовано: 2023-10-16Изменено: 2024-02-17
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Ссылки