Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tcDNnLXZwbTktOXZxds4AA9Xz

@fastly/js-compute has a use-after-free in some host call implementations

Impact

The implementation of the following functions were determined to include a use-after-free bug:

• FetchEvent.client.tlsCipherOpensslName
• FetchEvent.client.tlsProtocol
• FetchEvent.client.tlsClientCertificate
• FetchEvent.client.tlsJA3MD5
• FetchEvent.client.tlsClientHello
• CacheEntry.prototype.userMetadata of the fastly:cache subsystem
• Device.lookup of the fastly:device subsystem

This bug could allow for an unintended data leak if the result of the preceding functions were sent anywhere else, and often results in a Compute service crash causing an HTTP 500 error to be returned. As all requests to Compute are isolated from one another, the only data at risk is data present for a single request.

Patches

This bug has been fixed in version 3.16.0 of the @fastly/js-compute package.

Workarounds

There are no workarounds for this bug, any use of the affected functions introduces the possibility of a data leak or crash in guest code.

Permalink: https://github.com/advisories/GHSA-mp3g-vpm9-9vqv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcDNnLXZwbTktOXZxds4AA9Xz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

Identifiers: GHSA-mp3g-vpm9-9vqv, CVE-2024-38375
References:

• https://github.com/fastly/js-compute-runtime/security/advisories/GHSA-mp3g-vpm9-9vqv
• https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3
• https://nvd.nist.gov/vuln/detail/CVE-2024-38375
• https://github.com/advisories/GHSA-mp3g-vpm9-9vqv

Repository: https://github.com/fastly/js-compute-runtime
Blast Radius: 9.6

Affected Packages