CVE-2024-24758

CVSS v2.0

5.1

Medium

Vector

AV:N/AC:H/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Undici versions prior to 5.28.3 Undici versions prior to 6.6.1

Description The issue is related to insufficient protection of service data due to incorrect clearing of Proxy-Authentication headers in the Undici HTTP/1.1 client for Node.js. This could allow a remote attacker to elevate their privileges. The Proxy-Authentication headers were not cleared on cross-origin redirects, unlike the Authorization headers which were already being cleared. There are no known workarounds for this issue.

Recommendations For versions prior to 5.28.3, upgrade to version 5.28.3 or later. For versions prior to 6.6.1, upgrade to version 6.6.1 or later. As a temporary workaround, consider disabling the use of Proxy-Authentication headers in the Undici client until a patch is applied.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-942

Related Identifiers

ALT-PU-2025-2007

ALT-PU-2025-2047

AZL-35045

BDU:2024-02800

CVE-2024-24758

GHSA-3787-6PRV-H9W3

OPENSUSE-SU-2024:13697-1

OPENSUSE-SU-2024:13698-1

OPENSUSE-SU-2024_0728-1

OPENSUSE-SU-2024_0729-1

SUSE-SU-2024:0643-1

SUSE-SU-2024:0644-1

SUSE-SU-2024:0728-1

SUSE-SU-2024:0729-1

SUSE-SU-2024:0730-1

SUSE-SU-2024:0731-1

Affected Products

Alt Linux

Astra Linux

Debian

Suse

Undici

CVE-2024-24758

Weakness Enumeration

Related Identifiers

Affected Products

References · 67