node-undici: CVE-2023-45143

Debian Bug report logs - #1053879
node-undici: CVE-2023-45143

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: submit@bugs.debian.org

Subject: node-undici: CVE-2023-45143

Date: Fri, 13 Oct 2023 15:24:06 +0200

Source: node-undici
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for node-undici.

CVE-2023-45143[0]:
| Undici is an HTTP/1.1 client written from scratch for Node.js. Prior
| to version 5.26.2, Undici already cleared Authorization headers on
| cross-origin redirects, but did not clear `Cookie` headers. By
| design, `cookie` headers are forbidden request headers, disallowing
| them to be set in RequestInit.headers in browser environments. Since
| undici handles headers more liberally than the spec, there was a
| disconnect from the assumptions the spec made, and undici's
| implementation of fetch. As such this may lead to accidental leakage
| of cookie to a third-party site or a malicious attacker who can
| control the redirection target (ie. an open redirector) to leak the
| cookie to the third party site. This was patched in version 5.26.2.
| There are no known workarounds.

https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-45143
    https://www.cve.org/CVERecord?id=CVE-2023-45143

Please adjust the affected versions in the BTS as needed.

Send a report that this bug log contains spam.