CVE-2024-24750: 
JavaScript vulnerability analysis and mitigation

Undici, an HTTP/1.1 client written specifically for Node.js, contains a vulnerability identified as CVE-2024-24750. The issue affects versions 6.0.0 through 6.6.0, where calling fetch(url) and not consuming the incoming body (or consuming it very slowly) leads to a memory leak. The vulnerability was discovered and disclosed in January 2024, with a fix released in version 6.6.1 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The technical issue stems from improper handling of backpressure requests in the fetch() implementation, which can result in unbounded memory consumption when the response body is not properly consumed (GitHub Advisory).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition through memory exhaustion. The impact is particularly significant in applications that make fetch requests without properly consuming the response bodies, potentially affecting the availability of the service (NetApp Advisory).

Users are strongly advised to upgrade to version 6.6.1 or later, which contains the fix for this vulnerability. For those unable to upgrade immediately, the recommended workaround is to ensure that incoming bodies are always consumed in the application code (GitHub Advisory).