-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| undici | npm | < 5.28.4 | 5.28.4 |
| undici | npm | >= 6.0.0, < 6.11.1 | 6.11.1 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from two key flaws: 1) In bytesMatch(), the original implementation stripped '==' padding indiscriminately and allowed base64url comparisons without proper encoding conversion, creating a mismatch surface. 2) In parseMetadata(), the regex pattern (/sha256|sha384|sha512-[A-z0-9+/]{1}.*={0,2}/i) allowed invalid characters and formats. The fixes introduced stricter regex patterns, proper padding handling, and explicit base64/base64url conversion checks. The commit diff shows these functions were directly modified to address the vulnerability, and the CVE description explicitly references integrity validation bypass through hash manipulation.
JavaScriptJavaScript