CVE-2024-38375: 
JavaScript vulnerability analysis and mitigation

CVE-2024-38375 is a use-after-free vulnerability discovered in the @fastly/js-compute package versions 3.0.0 through 3.16.0. The vulnerability was discovered and disclosed on June 26, 2024, affecting multiple functions within the package's implementation (GitHub Advisory).

The vulnerability affects several functions including FetchEvent.client.tlsCipherOpensslName, FetchEvent.client.tlsProtocol, FetchEvent.client.tlsClientCertificate, FetchEvent.client.tlsJA3MD5, FetchEvent.client.tlsClientHello, CacheEntry.prototype.userMetadata of the fastly:cache subsystem, and Device.lookup of the fastly:device subsystem. The CVSS v3.1 score is 5.3 (Moderate) with a vector string of CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H (GitHub Advisory).

The vulnerability could lead to unintended data leaks if the results of the affected functions are transmitted elsewhere. Additionally, it often results in a Compute service crash, causing HTTP 500 errors to be returned. Due to request isolation, the potential data exposure is limited to data present within a single request (GitHub Advisory).

The vulnerability has been patched in version 3.16.0 of the @fastly/js-compute package. There are no workarounds available for this bug, as any use of the affected functions introduces the possibility of a data leak or crash in guest code (GitHub Advisory).