GHSA-8495-4g3g-x7pr: aiohttp allows request smuggling due to incorrect parsing of chunk extensions

GHSA-27mf-ghqm-j3j8: aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

GHSA-jp37-5qhw-mffw: Sharks has a Bias of Polynomial Coefficients in Secret Sharing

GHSA-vggm-3478-vm5m: Graylog concurrent PDF report rendering can leak other users' reports

GHSA-7cc9-j4mv-vcjp: XXE in PHPSpreadsheet's XLSX reader

### Impact

If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.

### Patches

Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3.
Fixes has been released in v5.28.4 and v6.11.1.


### Workarounds

Ensure that `integrity` cannot be tampered with.

### References

https://hackerone.com/reports/2377760


**Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect**

Low severity GitHub Reviewed Published Apr 4, 2024 in nodejs/undici • Updated Apr 4, 2024

Headline

GHSA-9qxr-qj54-h672: Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Impact

Patches

Workarounds

References

ghsa: Latest News