Source: node-undici X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for node-undici. CVE-2023-45143[0]: | Undici is an HTTP/1.1 client written from scratch for Node.js. Prior | to version 5.26.2, Undici already cleared Authorization headers on | cross-origin redirects, but did not clear `Cookie` headers. By | design, `cookie` headers are forbidden request headers, disallowing | them to be set in RequestInit.headers in browser environments. Since | undici handles headers more liberally than the spec, there was a | disconnect from the assumptions the spec made, and undici's | implementation of fetch. As such this may lead to accidental leakage | of cookie to a third-party site or a malicious attacker who can | control the redirection target (ie. an open redirector) to leak the | cookie to the third party site. This was patched in version 5.26.2. | There are no known workarounds. https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45143 https://www.cve.org/CVERecord?id=CVE-2023-45143 Please adjust the affected versions in the BTS as needed.