GitHub Advisory DatabaseGHSA-M4V8-WQVR-P9F7Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
10.3%
Impact
Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().
Patches
This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
use fetch() or disable maxRedirections.
References
Linzi Shang reported this.
Affected configurations
References
github.com/advisories/GHSA-m4v8-wqvr-p9f7
github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
hackerone.com/reports/2408074
lists.fedoraproject.org/archives/list/[email protected]/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
lists.fedoraproject.org/archives/list/[email protected]/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
nvd.nist.gov/vuln/detail/CVE-2024-30260
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
10.3%