CVE-2023-45143

Published: 12 October 2023

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Priority

Cvss 3 Severity Score

3.5

Score breakdown

Status

Package	Release	Status
node-undici Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needs triage
	noble	Needs triage
	trusty	Does not exist
	upstream	Released (5.26.3+dfsg1+~cs23.10.12-1)
	xenial	Does not exist
	Patches: upstream: https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76

Severity score breakdown

Parameter	Value
Base score	3.5
Attack vector	Network
Attack complexity	Low
Privileges required	Low
User interaction	Required
Scope	Unchanged
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053879

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›