PT-2022-7066 · Undici+7 · Undici+7

Ranjit-Git

Published

2022-07-21

Updated

2025-02-13

CVE-2023-45143

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Undici versions prior to 5.26.2

Description The issue is related to the handling of headers in the Undici HTTP/1.1 client for Node.js. Specifically, prior to version 5.26.2, Undici cleared Authorization headers on cross-origin redirects but did not clear cookie headers. By design, cookie headers are forbidden request headers, which can lead to accidental leakage of cookies to a third-party site or allow a malicious attacker to leak cookies if they can control the redirection target.

Recommendations For versions prior to 5.26.2, update to version 5.26.2 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive cookie headers until the update can be applied.

Exploit

Fix

Origin Validation Error

Open Redirect

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346CWE-601CWE-93CWE-200

Related Identifiers

ALSA-2023:5849

ALSA-2023:5869

ALSA-2023:7205

ALT-PU-2025-2007

ALT-PU-2025-2047

AZL-31338

BDU:2023-07356

CESA-2023_5869

CESA-2023_7205

CVE-2023-45143

GHSA-Q768-X9M6-M9QP

GHSA-WQQ4-5WPV-MX2G

MGASA-2023-0299

OPENSUSE-SU-2023_4207-1

OPENSUSE-SU-2024:13337-1

OPENSUSE-SU-2024:13340-1

RHSA-2023:5849

RHSA-2023:5869

RHSA-2023:7205

RHSA-2023_5849

RHSA-2023_5869

RHSA-2023_7205

RLSA-2023:7205

SUSE-SU-2023:4132-1

SUSE-SU-2023:4133-1

SUSE-SU-2023:4150-1

SUSE-SU-2023:4155-1

SUSE-SU-2023:4207-1

Affected Products

Alt Linux

Almalinux

Centos

Red Hat

Red Os

Rocky Linux

Suse

Undici

PT-2022-7066 · Undici+7 · Undici+7

CVE-2023-45143

Weakness Enumeration

Related Identifiers

Affected Products

References · 103