CVE-2024-24758

CWE-200 — Information Exposure8 documents7 sources

Severity

4.5MEDIUM

EPSS

0.3%

top 48.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Undici

Timeline

PublishedFeb 16

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:LExploitability: 0.5 | Impact: 3.4

Affected Packages4 packages

▶CVEListV5nodejs/undici< 5.28.3+1

▶NVDnodejs/undici6.0.0 — 6.6.1+1

▶Debiannode-undici< 5.28.4+dfsg1+~cs23.12.11-1+1

▶npmundici6.0.0 — 6.6.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-24758: Undici is an HTTP/1↗2024-02-16

▶

CVEList

Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici↗2024-02-16

▶

GHSA

Undici proxy-authorization header not cleared on cross-origin redirect in fetch↗2024-02-16

▶

OSV

Undici proxy-authorization header not cleared on cross-origin redirect in fetch↗2024-02-16

▶

📋Vendor Advisories

Red Hat

undici: sensitive information exposure↗2024-02-16

▶

Microsoft

Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici↗2024-02-13

▶

Debian

CVE-2024-24758: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already c...↗2024

▶