CVE-2022-31151

Name of the Vulnerable Software and Affected Versions undici versions prior to 5.7.1

Description The issue arises when authorization headers are cleared on cross-origin redirects, but cookie headers remain uncleared. This may lead to accidental leakage of cookies to a 3rd-party site or a malicious attacker who can control the redirection target. By design, cookie headers are forbidden request headers, but undici handles headers more liberally than the specification. There are active users using cookie headers in undici, which increases the risk of exploitation. The vulnerability is not exploitable by default if redirections are not enabled, i.e., maxRedirections: 0.

Recommendations For versions prior to 5.7.1, update to version 5.7.1 or later to resolve the issue. As a temporary workaround, consider disabling redirections by setting maxRedirections: 0 to minimize the risk of exploitation. Avoid using cookie headers in undici until the issue is resolved.