GHSA-q768-x9m6-m9qp

Source

https://github.com/advisories/GHSA-q768-x9m6-m9qp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-q768-x9m6-m9qp/GHSA-q768-x9m6-m9qp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q768-x9m6-m9qp

Aliases

Published

2022-07-21T20:31:05Z

Modified

2024-08-01T05:26:34.070358Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect

Details

Impact

Authorization headers are already cleared on cross-origin redirect in https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.

However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in v5.8.0.

Workarounds

By default, this vulnerability is not exploitable. Do not enable redirections, i.e. maxRedirections: 0 (the default).

References

https://hackerone.com/reports/1635514 https://curl.se/docs/CVE-2018-1000007.html https://curl.se/docs/CVE-2022-27776.html

For more information

If you have any questions or comments about this advisory: * Open an issue in undici repository * To make a report, follow the SECURITY document

References

Affected packages

npm / undici

Package

Name: undici; View open source insights on deps.dev
Purl: pkg:npm/undici

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.8.0