Description
Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.26.2
- Patched version(s): 5.26.2
References
- GHSA-wqq4-5wpv-mx2g
- hackerone.com
- lists.fedoraproject.org
- CVE-2023-45143
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- undici before v5.8.0 vulnerable to CRLF injection in request headers - CVE-2022-31150
- `undici.request` vulnerable to SSRF using absolute URL on `pathname` - CVE-2022-35949
- bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function - CVE-2025-3194
- Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on February 16, 2024