CVE-2024-30260

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

References

Link	Tags
https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7	patch vendor advisory
https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f	patch
https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75	patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/	product
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/	product
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/	product

Frequently Asked Questions

What is the severity of CVE-2024-30260?: CVE-2024-30260 has been scored as a low severity vulnerability.
How to fix CVE-2024-30260?: To fix CVE-2024-30260, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-30260 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-30260 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-30260?: CVE-2024-30260 affects nodejs undici.

Description

Categories

CWE-285 – Improper Authorization

CWE-863 – Incorrect Authorization

References

Frequently Asked Questions