Linzi Shang

**Name of the Vulnerable Software and Affected Versions** Undici versions prior to 5.28.4 Undici versions prior to 6.11.1 **Description** The issue is related to the Undici HTTP/1.1 client for Node.js, which has a flaw in its authorization procedure. Specifically, Undici clears Authorization and Proxy-Authorization headers for `fetch()`, but fails to do so for `undici.request()`. This could potentially allow a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 5.28.4, update to version 5.28.4 or later. For versions prior to 6.11.1, update to version 6.11.1 or later. As a temporary workaround, consider using `fetch()` instead of `undici.request()`. Alternatively, disable `maxRedirections` to minimize the risk of exploitation.