CVE-2023-45143

Name
CVE-2023-45143
Description
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
MISC https://hackerone.com/reports/2166948
MISC https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
MISC https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76
MISC https://github.com/nodejs/undici/releases/tag/v5.26.2
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:* nodejs >= None < 5.26.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs-current 3.18-community 20.8.1-r0 Jose-Luis Rivas <ghostbar@riseup.net> fixed