Description
Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.26.2
- Patched version(s): 5.26.2
References
- GHSA-wqq4-5wpv-mx2g
- hackerone.com
- lists.fedoraproject.org
- CVE-2023-45143
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Undici proxy-authorization header not cleared on cross-origin redirect in fetch - CVE-2024-24758
- Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260
- undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect - CVE-2022-31151
- CRLF Injection in Nodejs ‘undici’ via host - CVE-2023-23936
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on February 16, 2024