Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Low

mcollina published GHSA-m4v8-wqvr-p9f7

Apr 4, 2024

Package

undici (npm)

Affected versions

< 5.28.3; > 6.0.0 < 6.11.0

Patched versions

>= 5.28.4 < 6.0.0; >= 6.11.1

Description

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in 6805746.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

Severity

Low

3.9

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

High

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L