The undici team asserts that this CVE only affects versions >= 6.0.0 and that the v5.x release is not impacted.
nodejs/undici#2789
If this is true, then the PR here that upgrades undici from v5 to v6 is not required to address this CVE.
#42
Some vulnerability scanning tools (e.g. Veracode) rely on NVD as the source of truth wrt assessing impacted versions. This CVE is currently "Awaiting Analysis" at NVD
https://nvd.nist.gov/vuln/detail/CVE-2024-24750
We will continue testing the undici v6 upgrade while NVD performs their analysis.
20240306 - Still waiting analysis.
20240311 - Still waiting analysis.
20240319 - Still waiting analysis.
20240327 - Still waiting analysis.
20240703 - Still waiting analysis.
The
undiciteam asserts that this CVE only affects versions >= 6.0.0 and that the v5.x release is not impacted.nodejs/undici#2789
If this is true, then the PR here that upgrades
undicifrom v5 to v6 is not required to address this CVE.#42
Some vulnerability scanning tools (e.g. Veracode) rely on NVD as the source of truth wrt assessing impacted versions. This CVE is currently "Awaiting Analysis" at NVD
https://nvd.nist.gov/vuln/detail/CVE-2024-24750
We will continue testing the undici v6 upgrade while NVD performs their analysis.
20240306 - Still waiting analysis.
20240311 - Still waiting analysis.
20240319 - Still waiting analysis.
20240327 - Still waiting analysis.
20240703 - Still waiting analysis.