[22] Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline #442

Closed
opened 2024-06-24 18:37:13 +01:00 by Helpdesk · 0 comments
Member

Package: undici (npm)
Affected versions: < 5.28.4
Patched version: 5.28.4

GitHub


Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in nodejs/undici.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

Package: undici (npm) Affected versions: < 5.28.4 Patched version: 5.28.4 [GitHub](https://github.com/Vylpes/vylbot-app/security/dependabot/22) --- ## Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ## Patches This has been patched in [nodejs/undici](https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75). Fixes has been released in v5.28.4 and v6.11.1. ## Workarounds use `fetch()` or disable `maxRedirections`. ## References Linzi Shang reported this. - https://hackerone.com/reports/2408074 - https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
Helpdesk added the
type
alert
label 2024-06-24 18:37:13 +01:00
Vylpes added this to the (deleted) milestone 2024-06-24 18:48:35 +01:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: RabbitLabs/vylbot-app#442
No description provided.