undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
- Severity:
- Low
Description
Authorization headers are already cleared on cross-origin redirect in https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.
However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.8.0
- Patched version(s): 5.8.0
References
- GHSA-q768-x9m6-m9qp
- hackerone.com
- security.netapp.com
- CVE-2022-31151
- CWE-346
- CWE-601
- CWE-93
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
- Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260
- AngularJS allows attackers to bypass common image source restrictions (GHSA-mqm9-c95h-x2p6) - CVE-2024-8373
- Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs - CVE-2025-62374
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on January 30, 2023