Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tcDNnLXZwbTktOXZxds4AA9Xz

@fastly/js-compute has a use-after-free in some host call implementations

Impact

The implementation of the following functions were determined to include a use-after-free bug:

This bug could allow for an unintended data leak if the result of the preceding functions were sent anywhere else, and often results in a Compute service crash causing an HTTP 500 error to be returned. As all requests to Compute are isolated from one another, the only data at risk is data present for a single request.

Patches

This bug has been fixed in version 3.16.0 of the @fastly/js-compute package.

Workarounds

There are no workarounds for this bug, any use of the affected functions introduces the possibility of a data leak or crash in guest code.

Permalink: https://github.com/advisories/GHSA-mp3g-vpm9-9vqv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcDNnLXZwbTktOXZxds4AA9Xz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 18 days ago
Updated: 18 days ago


CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

Identifiers: GHSA-mp3g-vpm9-9vqv, CVE-2024-38375
References: Repository: https://github.com/fastly/js-compute-runtime
Blast Radius: 9.6

Affected Packages

npm:@fastly/js-compute
Dependent packages: 36
Dependent repositories: 65
Downloads: 34,837 last month
Affected Version Ranges: >= 3.0.0, < 3.16.0
Fixed in: 3.16.0
All affected versions: 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.9.0, 3.9.1, 3.10.0, 3.11.0, 3.12.0, 3.12.1, 3.13.0, 3.13.1, 3.14.0, 3.14.1, 3.14.2, 3.15.0
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.4, 0.2.5, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.5.11, 0.5.12, 0.5.13, 0.5.14, 0.5.15, 0.6.0, 0.7.0, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.13.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 3.16.0, 3.16.2, 3.17.0