Headline

GHSA-m4v8-wqvr-p9f7: Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

https://hackerone.com/reports/2408074
https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3

7 months ago

ghsa

Open in Source

#nodejs #js #git #auth

Undici’s Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Low severity GitHub Reviewed Published Apr 4, 2024 in nodejs/undici • Updated Apr 4, 2024

ghsa: Latest News

GHSA-8495-4g3g-x7pr: aiohttp allows request smuggling due to incorrect parsing of chunk extensions

3 hours ago

ghsa

GHSA-27mf-ghqm-j3j8: aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

3 hours ago

ghsa

GHSA-jp37-5qhw-mffw: Sharks has a Bias of Polynomial Coefficients in Secret Sharing

4 hours ago

ghsa

GHSA-vggm-3478-vm5m: Graylog concurrent PDF report rendering can leak other users' reports

4 hours ago

ghsa

GHSA-7cc9-j4mv-vcjp: XXE in PHPSpreadsheet's XLSX reader

4 hours ago

ghsa