Description
Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.26.2
- Patched version(s): 5.26.2
References
- GHSA-wqq4-5wpv-mx2g
- hackerone.com
- lists.fedoraproject.org
- CVE-2023-45143
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- undici before v5.8.0 vulnerable to CRLF injection in request headers - CVE-2022-31150
- `undici.request` vulnerable to SSRF using absolute URL on `pathname` - CVE-2022-35949
- Follow Redirects improperly handles URLs in the url.parse() function - CVE-2023-26159
- Exposure of Sensitive Information to an Unauthorized Actor in nanoid - CVE-2021-23566
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on February 16, 2024