CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
AI Score
Confidence
Low
EPSS
Percentile
10.3%
undici is vulnerable to Header Injection. The vulnerability is due to inconsistent header handling, where headers were cleared for fetch() but not for undici.request(), which could result in unauthorized access to sensitive information.
github.com/advisories/GHSA-m4v8-wqvr-p9f7
github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
hackerone.com/reports/2408074
lists.fedoraproject.org/archives/list/[email protected]/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
lists.fedoraproject.org/archives/list/[email protected]/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/