CVE-2024-30260

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Severity Score

3.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Undici borró los encabezados Authorization y Proxy-Authorization para `fetch()`, pero no los borró para `undici.request()`. Esta vulnerabilidad fue parcheada en las versiones 5.28.4 y 6.11.1.

A flaw was found in the nodejs-undici package. Proxy-Authorization headers are not cleared on cross-origin redirects, which can allow for the exposure of sensitive data or allow an attacker to capture the persistent proxy-authentication header.

*Credits: N/A

CVSS Scores

GitHubv3.1 3.9

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-26 CVE Reserved
2024-04-04 CVE Published
2024-04-20 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-285: Improper Authorization

CAPEC

References (8)

URL	Tag	Source
https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f	X_refsource_misc
https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75	X_refsource_misc
https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7	X_refsource_confirm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-30260	2024-09-12
https://bugzilla.redhat.com/show_bug.cgi?id=2273522	2024-09-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Undici Search vendor "Nodejs" for product "Undici"				< 5.28.4 Search vendor "Nodejs" for product "Undici" and version " < 5.28.4"		en		Affected
Nodejs Search vendor "Nodejs"		Undici Search vendor "Nodejs" for product "Undici"				>= 6.0.0 < 6.11.1 Search vendor "Nodejs" for product "Undici" and version " >= 6.0.0 < 6.11.1"		en		Affected