CVE-2024-38375

Name of the Vulnerable Software and Affected Versions @fastly/js-compute versions prior to 3.16.0

Description The implementation of several functions in the @fastly/js-compute package includes a use-after-free bug. This bug could allow for unintended data loss if the result of the preceding functions were sent anywhere else, and often results in a Compute service crash causing an HTTP 500 error to be returned. The affected functions include FetchEvent.client.tlsCipherOpensslName, FetchEvent.client.tlsProtocol, FetchEvent.client.tlsClientCertificate, FetchEvent.client.tlsJA3MD5, FetchEvent.client.tlsClientHello, CacheEntry.prototype.userMetadata of the fastly:cache subsystem, and Device.lookup of the fastly:device subsystem. As all requests to Compute are isolated from one another, the only data at risk is data present for a single request.

Recommendations For versions prior to 3.16.0, update to version 3.16.0 or later to fix the use-after-free bug. As a temporary workaround, consider avoiding the use of the affected functions until a patch is available. Restrict access to the affected subsystems, such as fastly:cache and fastly:device, to minimize the risk of exploitation. Avoid using the affected functions, such as FetchEvent.client.tlsCipherOpensslName and CacheEntry.prototype.userMetadata, in your code until the issue is resolved.