CVSS: 3.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-30260 – Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
https://notcve.org/view.php?id=CVE-2024-30260
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Undici borró los encabezados Authorization y Proxy-Authorization para `fetch()`, pero no los borró para `undici.request()`. • https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75 https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject& • CWE-285: Improper Authorization •
CVSS: 3.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24758 – Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici
https://notcve.org/view.php?id=CVE-2024-24758
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 https://security.netapp.com/advisory/ntap-20240419-0007 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.9EPSS: 1%CPEs: 4EXPL: 0CVE-2023-45143 – Undici's cookie header not cleared on cross-origin redirect in fetch
https://notcve.org/view.php?id=CVE-2023-45143
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. • https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 https://github.com/nodejs/undici/releases/tag/v5.26.2 https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g https://hackerone.com/reports/2166948 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2023-23936 – CRLF Injection in Nodejs ‘undici’ via host
https://notcve.org/view.php?id=CVE-2023-23936
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. A flaw was found in the fetch API in Node.js that did not prevent CRLF injection in the 'host' header. • https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 https://github.com/nodejs/undici/releases/tag/v5.19.1 https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff https://hackerone.com/reports/1820955 https://access.redhat.com/security/cve/CVE-2023-23936 https://bugzilla.redhat.com/show_bug.cgi?id=2172190 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24807 – Undici vulnerable to Regular Expression Denial of Service in Headers
https://notcve.org/view.php?id=CVE-2023-24807
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available. • https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf https://github.com/nodejs/undici/releases/tag/v5.19.1 https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w https://hackerone.com/bugs?report_id=1784449 https://access.redhat.com/security/cve/CVE-2023-24807 https://bugzilla.redhat.com/show_bug.cgi?id=2172204 • CWE-20: Improper Input Validation CWE-1333: Inefficient Regular Expression Complexity •