CVE-2024-24758
published 2024-02-16CVE-2024-24758: Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear…
medium4.5CVSS 3.1
AVNACLPRHUIRSUCHINAN
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-undici | < node-undici 5.28.4+dfsg1+~cs23.12.11-1 (forky) | node-undici 5.28.4+dfsg1+~cs23.12.11-1 (forky) |
| msrc | azl3_nodejs_20.10.0-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_nodejs_20.14.0-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| nodejs | undici | < 5.28.3 | 5.28.3 |
| nodejs | undici | — | — |
| nodejs | undici | >= 0 < 5.28.3 | 5.28.3 |
| nodejs | undici | >= 6.0.0 < 6.6.1 | 6.6.1 |
| nodejs | undici | >= 6.0.0 < 6.6.1 | 6.6.1 |
CVSS provenance
nvdv3.14.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
osv4.5MEDIUM