Miggo Logo
Miggo Vulnerability Database
CVE-2024-24750

CVE-2024-24750: fetch(url) leads to a memory leak in undici

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-24750
GHSA ID
GHSA-9f24-jqhm-jfcw
EPSS Score
0.57204%
CWE
CWE-400
Published
2/16/2024
Updated
12/17/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
undicinpm>= 6.0.0, <= 6.6.06.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper backpressure handling in stream implementations. The commit diff shows critical changes:- In fetchFinale(): Replaced 'start' with 'pull' and added backpressure check (controller.desiredSize)- Added queuing strategies with explicit highWaterMark- Modified stream initialization in httpNetworkFetch. The original 'start' implementation's infinite read loop (while(true)) would continuously buffer data regardless of consumer readiness, matching the described memory leak scenario when body isn't consumed. The functions directly implement the streaming logic that failed to respect backpressure, making them clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **llin* `**t**(url)` *n* not *onsumin* t** in*omin* *o*y ((or *onsumin* it v*ry slowin*) will l*** to * m*mory l**k. ### P*t***s P*t**** in v*.*.* ### Work*roun*s M*k* sur* to *lw*ys *onsum* t** in*omin* *o*y.

Reasoning

T** vuln*r**ility st*ms *rom improp*r ***kpr*ssur* **n*lin* in str**m impl*m*nt*tions. T** *ommit *i** s*ows *riti**l ***n**s:- In `**t***in*l*()`: R*pl**** 'st*rt' wit* 'pull' *n* ***** ***kpr*ssur* ****k (`*ontroll*r.**sir**Siz*`)- ***** qu*uin* st