Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
CVE-2024-30260

4.3MEDIUM

Key Information:

Vendor: Nodejs
Status: Undici
Vendor: CVE Published:; 4 April 2024

What is CVE-2024-30260?

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Affected Version(s)

undici < 5.28.4 < 5.28.4

undici >= 6.0.0, < 6.11.1 < 6.0.0, 6.11.1

References

https://github.com/nodejs/undici/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/nodejs/undici/commit/64e3402da4e032e68...

x_refsource_MISC

https://github.com/nodejs/undici/commit/6805746680d27a536...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2024

Nodejs

What is CVE-2024-30260?

Affected Version(s)

References

CVSS V3.1

Timeline