CVE-2023-45143 – Undici's cookie header not cleared on cross-origin redirect in fetch
https://notcve.org/view.php?id=CVE-2023-45143
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. • https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 https://github.com/nodejs/undici/releases/tag/v5.26.2 https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g https://hackerone.com/reports/2166948 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-23936 – CRLF Injection in Nodejs ‘undici’ via host
https://notcve.org/view.php?id=CVE-2023-23936
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. A flaw was found in the fetch API in Node.js that did not prevent CRLF injection in the 'host' header. • https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 https://github.com/nodejs/undici/releases/tag/v5.19.1 https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff https://hackerone.com/reports/1820955 https://access.redhat.com/security/cve/CVE-2023-23936 https://bugzilla.redhat.com/show_bug.cgi?id=2172190 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVE-2023-24807 – Undici vulnerable to Regular Expression Denial of Service in Headers
https://notcve.org/view.php?id=CVE-2023-24807
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available. • https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf https://github.com/nodejs/undici/releases/tag/v5.19.1 https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w https://hackerone.com/bugs?report_id=1784449 https://access.redhat.com/security/cve/CVE-2023-24807 https://bugzilla.redhat.com/show_bug.cgi?id=2172204 • CWE-20: Improper Input Validation CWE-1333: Inefficient Regular Expression Complexity •
CVE-2022-35948 – CRLF Injection in Nodejs ‘undici’ via Content-Type
https://notcve.org/view.php?id=CVE-2022-35948
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround. undici es un cliente HTTP/1.1, escrito desde cero para Node.js." versiones anteriores a undici@5.8.0 incluyéndola" los usuarios son vulnerables a una Inyección CRLF en los encabezados cuando usan entradas no saneadas como encabezados de petición, más concretamente, dentro del encabezado "content-type". Ejemplo: """ import { request } from "undici" const unsanitizedContentTypeInput = "application/json\r\n\r\nGET /foo2 HTTP/1.1" await request("http://localhost:3000, { method: "GET", headers: { "content-type": unsanitizedContentTypeInput }, }) """ El fragmento anterior llevará a cabo dos peticiones en una sola llamada a la API "request": 1) "http://localhost:3000/" 2) "http://localhost:3000/foo2" Este problema fue parcheado en Undici versión v5.8.1. Sanear la entrada cuando son enviados encabezados de tipo de contenido usando la entrada del usuario como mitigación. • https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80 https://github.com/nodejs/undici/releases/tag/v5.8.2 https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3 https://access.redhat.com/security/cve/CVE-2022-35948 https://bugzilla.redhat.com/show_bug.cgi?id=2121101 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVE-2022-35949 – `undici.request` vulnerable to SSRF using absolute URL on `pathname`
https://notcve.org/view.php?id=CVE-2022-35949
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. • https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895 https://github.com/nodejs/undici/releases/tag/v5.8.2 https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 https://access.redhat.com/security/cve/CVE-2022-35949 https://bugzilla.redhat.com/show_bug.cgi?id=2121068 • CWE-918: Server-Side Request Forgery (SSRF) •