Headline
GHSA-mp3g-vpm9-9vqv: @fastly/js-compute has a use-after-free in some host call implementations
Impact
The implementation of the following functions were determined to include a use-after-free bug:
FetchEvent.client.tlsCipherOpensslName
FetchEvent.client.tlsProtocol
FetchEvent.client.tlsClientCertificate
FetchEvent.client.tlsJA3MD5
FetchEvent.client.tlsClientHello
CacheEntry.prototype.userMetadata
of thefastly:cache
subsystemDevice.lookup
of thefastly:device
subsystem
This bug could allow for an unintended data leak if the result of the preceding functions were sent anywhere else, and often results in a Compute service crash causing an HTTP 500 error to be returned. As all requests to Compute are isolated from one another, the only data at risk is data present for a single request.
Patches
This bug has been fixed in version 3.16.0 of the @fastly/js-compute
package.
Workarounds
There are no workarounds for this bug, any use of the affected functions introduces the possibility of a data leak or crash in guest code.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-38375
@fastly/js-compute has a use-after-free in some host call implementations
Moderate severity GitHub Reviewed Published Jun 26, 2024 in fastly/js-compute-runtime • Updated Jun 26, 2024
Package
npm @fastly/js-compute (npm)
Affected versions
>= 3.0.0, < 3.16.0
Impact
The implementation of the following functions were determined to include a use-after-free bug:
- FetchEvent.client.tlsCipherOpensslName
- FetchEvent.client.tlsProtocol
- FetchEvent.client.tlsClientCertificate
- FetchEvent.client.tlsJA3MD5
- FetchEvent.client.tlsClientHello
- CacheEntry.prototype.userMetadata of the fastly:cache subsystem
- Device.lookup of the fastly:device subsystem
This bug could allow for an unintended data leak if the result of the preceding functions were sent anywhere else, and often results in a Compute service crash causing an HTTP 500 error to be returned. As all requests to Compute are isolated from one another, the only data at risk is data present for a single request.
Patches
This bug has been fixed in version 3.16.0 of the @fastly/js-compute package.
Workarounds
There are no workarounds for this bug, any use of the affected functions introduces the possibility of a data leak or crash in guest code.
References
- GHSA-mp3g-vpm9-9vqv
- fastly/js-compute-runtime@4e16641
Published to the GitHub Advisory Database
Jun 26, 2024
Last updated
Jun 26, 2024