CVE-2022-31151

Uncleared cookies on cross-host/cross-origin redirect in undici

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).

Los encabezados de autorización son borrados en las redirecciones de origen cruzado. Sin embargo, los encabezados de cookies, que son encabezados confidenciales y son encabezados oficiales que son encontrados en la especificación, permanecen sin limpiar. Se presentan usuarios activos que usan los encabezados de las cookies de forma indiscriminada. Esto puede conllevar a una fuga accidental de la cookie a un sitio de terceros o un atacante malicioso que pueda controlar el objetivo de la redirección (es decir, un redireccionador abierto) para filtrar la cookie al sitio de terceros. Esto fue parcheado en versión 5.7.1. Por defecto, esta vulnerabilidad no es explotable. No habilite los redireccionamientos, es decir, "maxRedirections: 0" (por defecto)

A flaw was found in the undici package. After cookie headers are set, they are not cleared. This issue could allow an attacker to take advantage of this cookie, which could be used to control the redirection target.

Red Hat Advanced Cluster Management for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include crlf injection and denial of service vulnerabilities.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-07-20 CVE Published
2025-04-22 CVE Updated
2025-04-22 First Exploit
2025-07-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-346: Origin Validation Error
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CAPEC

References (5)

URL	Tag	Source
https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220909-0006	Third Party Advisory

URL	Date	SRC
https://github.com/nodejs/undici/issues/872	2025-04-22

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-31151	2022-09-26
https://bugzilla.redhat.com/show_bug.cgi?id=2121396	2022-09-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Undici Search vendor "Nodejs" for product "Undici"				< 5.7.1 Search vendor "Nodejs" for product "Undici" and version " < 5.7.1"		node.js		Affected