Undici is a high-performance HTTP/1.1 client library for Node.js, designed to provide efficient HTTP request capabilities. The vulnerability CVE-2024-30261 arises from improper access control related to the integrity option in the fetch() API provided by undici. The integrity option is intended to verify that the response data matches an expected cryptographic hash, ensuring data integrity. However, due to this flaw, an attacker can manipulate the integrity option passed to fetch(), causing the client to accept HTTP responses that have been tampered with, bypassing the intended integrity verification. This vulnerability is classified under CWE-284 (Improper Access Control), indicating that the system does not adequately restrict access to a resource or operation. The affected undici versions include all releases prior to 5.28.4 and versions from 6.0.0 up to but not including 6.11.1. The issue was publicly disclosed on April 4, 2024, with patches available in versions 5.28.4 and 6.11.1. The CVSS v3.1 score is 2.6 (low severity), reflecting that exploitation requires network access, low privileges, and user interaction, and impacts only integrity without affecting confidentiality or availability. No known exploits have been reported in the wild, suggesting limited active exploitation. The vulnerability could be exploited by an attacker capable of intercepting or manipulating HTTP traffic to a Node.js application using undici's fetch(), potentially causing the application to process malicious or altered data as if it were legitimate. This undermines the trustworthiness of HTTP responses and could lead to downstream logic errors or data corruption.

For European organizations, the primary impact of this vulnerability is the potential acceptance of tampered HTTP responses in Node.js applications using vulnerable undici versions. This could lead to integrity violations where malicious data is processed, potentially causing incorrect application behavior, data corruption, or flawed business logic execution. Although confidentiality and availability are not directly affected, the integrity compromise could facilitate further attacks or data manipulation. Organizations relying on undici for critical HTTP communications, especially those handling sensitive transactions or data validation, may face risks of subtle data integrity breaches. The impact is more pronounced in sectors with high reliance on Node.js backend services, such as fintech, e-commerce, and SaaS providers. Given the low CVSS score and lack of known exploits, the immediate risk is limited, but the vulnerability should not be ignored as it could be leveraged in targeted attacks or combined with other vulnerabilities. Failure to patch could also expose organizations to compliance risks if data integrity is mandated by regulations such as GDPR or sector-specific standards.

European organizations should promptly upgrade undici to version 5.28.4 or later, or 6.11.1 or later, to apply the official patches addressing this vulnerability. Beyond patching, developers should audit all uses of the fetch() API in their Node.js applications to verify correct and secure handling of the integrity option, ensuring it cannot be manipulated by untrusted inputs. Network-level protections such as TLS should be enforced to prevent man-in-the-middle attacks that could alter HTTP responses. Implementing strict Content Security Policies (CSP) and validating all external data sources can reduce the risk of accepting tampered data. Monitoring and logging HTTP request and response integrity checks can help detect anomalies. Security teams should also review supply chain dependencies to identify indirect usage of vulnerable undici versions. Finally, incorporate this vulnerability into threat modeling and incident response plans to prepare for potential exploitation scenarios.