CVE-2024-30260

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Severity Score

3.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Undici borró los encabezados Authorization y Proxy-Authorization para `fetch()`, pero no los borró para `undici.request()`. Esta vulnerabilidad fue parcheada en las versiones 5.28.4 y 6.11.1.

A flaw was found in the nodejs-undici package. Proxy-Authorization headers are not cleared on cross-origin redirects, which can allow for the exposure of sensitive data or allow an attacker to capture the persistent proxy-authentication header.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

High

Authentication

Multiple

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-26 CVE Reserved
2024-04-04 CVE Published
2025-02-13 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-285: Improper Authorization

CAPEC

References (8)

URL	Tag	Source
https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f	X_refsource_misc
https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75	X_refsource_misc
https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7	X_refsource_confirm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-30260	2024-09-12
https://bugzilla.redhat.com/show_bug.cgi?id=2273522	2024-09-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Undici Search vendor "Nodejs" for product "Undici"				< 5.28.4 Search vendor "Nodejs" for product "Undici" and version " < 5.28.4"		en		Affected
Nodejs Search vendor "Nodejs"		Undici Search vendor "Nodejs" for product "Undici"				>= 6.0.0 < 6.11.1 Search vendor "Nodejs" for product "Undici" and version " >= 6.0.0 < 6.11.1"		en		Affected