{"id":"CVE-2024-38375","summary":"@fastly/js-compute use-after-free in some host call implementations","details":"@fastly/js-compute is a JavaScript SDK and runtime for building Fastly Compute applications. The implementation of several functions were determined to include a use-after-free bug. This bug could allow for unintended data loss if the result of the preceding functions were sent anywhere else, and often results in a guest trap causing services to return a 500. This bug has been fixed in version 3.16.0 of the `@fastly/js-compute` package.","aliases":["GHSA-mp3g-vpm9-9vqv"],"modified":"2026-04-16T11:22:34.769264Z","published":"2024-06-26T18:46:12.471Z","database_specific":{"cwe_ids":["CWE-416"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38375.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38375.json"},{"type":"ADVISORY","url":"https://github.com/fastly/js-compute-runtime/security/advisories/GHSA-mp3g-vpm9-9vqv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38375"},{"type":"FIX","url":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fastly/js-compute-runtime","events":[{"introduced":"0"},{"fixed":"4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3"}]},{"type":"GIT","repo":"https://github.com/fastly/js-compute-runtime","events":[{"introduced":"0"},{"fixed":"4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3"}]}],"versions":["dev","v0.1.0","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.2.4","v0.2.5","v0.3.0","v0.4.0","v0.5.0","v0.5.10","v0.5.11","v0.5.12","v0.5.13","v0.5.14","v0.5.15","v0.5.2","v0.5.3","v0.5.5","v0.5.6","v0.5.7","v0.5.8","v0.5.9","v0.6.0","v0.7.0","v1.0.0","v1.0.1","v1.1.0","v1.10.0","v1.10.1","v1.11.0","v1.11.1","v1.11.2","v1.12.0","v1.13.0","v1.2.0","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.4.0","v1.4.1","v1.4.2","v1.5.0","v1.5.1","v1.5.2","v1.6.0","v1.7.0","v1.7.1","v1.8.0","v1.8.1","v1.9.0","v2.0.0","v2.0.1","v2.0.2","v2.1.0","v2.2.0","v2.2.1","v2.3.0","v2.4.0","v2.5.0","v3.0.0","v3.1.0","v3.1.1","v3.10.0","v3.11.0","v3.12.0","v3.12.1","v3.13.0","v3.13.1","v3.14.0","v3.14.1","v3.14.2","v3.15.0","v3.2.0","v3.2.1","v3.3.0","v3.3.1","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.4.0","v3.5.0","v3.6.0","v3.6.1","v3.6.2","v3.7.0","v3.7.1","v3.7.2","v3.7.3","v3.8.0","v3.8.1","v3.8.2","v3.8.3","v3.9.0","v3.9.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38375.json","vanir_signatures":[{"id":"CVE-2024-38375-065b4c7d","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"file":"runtime/js-compute-runtime/host_interface/component/fastly_world_adapter.cpp"},"digest":{"threshold":0.9,"line_hashes":["213375228911496011284048462469818416530","15839923401657979613890299177309647967","229020629453698824424268211530371245241","58735036091239992543763559616450337966","157838897318592531097021253735612307766","170789445151969746844077421026136048934","88790723601321382052723622227154552231","98724536703323644889737119078589859233","253690686299740864689963887841570106376","228814143152336153075470524208128371147","1427576535806725227276944277058472870","307920445597207937242928224469885499988","154163287063621141470641037470464420296","164633010404636534734185832302112303007","328285654447113466198515749272091285212","339926867952758820917322609174978739803","81891002541257859893963049075193557280","214087406079956514843383559496109855717","291718405784181134169085517903488134892","146795972645045251370256046682894857247","292847464558441208383347684518051101715","276820262617185966707211784959229132770","280115130551846487450343093576309218876","195297439475363290198193800328043899115","209275960213742910898547873068098466545","24737225083269113212052588193051330484","3202093062068446365596141913895009922","162406223611947340341403643611168420685","29054677032466657588918199895196753923","171243014386257846705978285081349906602","124781033276728384626071980206076932262"]},"signature_type":"Line","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-16baabc7","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_client_hello","file":"runtime/js-compute-runtime/host_interface/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"234919812295901918094339412678780029092","length":482},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-2eaad5ae","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_device_detection_lookup","file":"runtime/fastly/host-api/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"180345000339405095981612431345438191176","length":675},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-352d1a36","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_cache_get_user_metadata","file":"runtime/fastly/host-api/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"254591547660798199369633847213337185883","length":568},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-47f8664e","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_protocol","file":"runtime/js-compute-runtime/host_interface/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"124729098453303865489508925412105561727","length":539},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-48f01032","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"file":"runtime/fastly/host-api/component/fastly_world_adapter.cpp"},"digest":{"threshold":0.9,"line_hashes":["213375228911496011284048462469818416530","15839923401657979613890299177309647967","229020629453698824424268211530371245241","58735036091239992543763559616450337966","157838897318592531097021253735612307766","170789445151969746844077421026136048934","88790723601321382052723622227154552231","98724536703323644889737119078589859233","253690686299740864689963887841570106376","228814143152336153075470524208128371147","1427576535806725227276944277058472870","307920445597207937242928224469885499988","154163287063621141470641037470464420296","164633010404636534734185832302112303007","328285654447113466198515749272091285212","339926867952758820917322609174978739803","81891002541257859893963049075193557280","214087406079956514843383559496109855717","291718405784181134169085517903488134892","146795972645045251370256046682894857247","292847464558441208383347684518051101715","276820262617185966707211784959229132770","280115130551846487450343093576309218876","195297439475363290198193800328043899115","209275960213742910898547873068098466545","24737225083269113212052588193051330484","3202093062068446365596141913895009922","162406223611947340341403643611168420685","29054677032466657588918199895196753923","171243014386257846705978285081349906602","124781033276728384626071980206076932262"]},"signature_type":"Line","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-50745c30","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_ja3_md5","file":"runtime/js-compute-runtime/host_interface/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"48809108653870121712457795961081952439","length":450},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-53dd6d86","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_cache_get_user_metadata","file":"runtime/js-compute-runtime/host_interface/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"254591547660798199369633847213337185883","length":568},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-6d2e23d4","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_raw_client_certificate","file":"runtime/fastly/host-api/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"114757806373549105925203724658642501047","length":503},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-81bc4459","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_ja3_md5","file":"runtime/fastly/host-api/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"48809108653870121712457795961081952439","length":450},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-8d470d89","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_device_detection_lookup","file":"runtime/js-compute-runtime/host_interface/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"180345000339405095981612431345438191176","length":675},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-93969509","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_raw_client_certificate","file":"runtime/js-compute-runtime/host_interface/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"114757806373549105925203724658642501047","length":503},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-a2fda06d","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_client_hello","file":"runtime/fastly/host-api/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"234919812295901918094339412678780029092","length":482},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-bbfdb030","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_cipher_openssl_name","file":"runtime/js-compute-runtime/host_interface/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"256581111348851229993918972378523127579","length":562},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-d46165f1","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_cipher_openssl_name","file":"runtime/fastly/host-api/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"256581111348851229993918972378523127579","length":562},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2024-38375-d6891bb7","source":"https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3","target":{"function":"fastly_compute_at_edge_http_req_downstream_tls_protocol","file":"runtime/fastly/host-api/component/fastly_world_adapter.cpp"},"digest":{"function_hash":"124729098453303865489508925412105561727","length":539},"signature_type":"Function","deprecated":false,"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-16T11:22:34Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H"}]}