CVE-2024-30260

CWE-285 CWE-863 — Incorrect Authorization CWE-200 — Information Exposure8 documents7 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 60.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Undici Fedoraproject Fedora

Timeline

PublishedApr 4

Latest updateApr 9

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:LExploitability: 0.5 | Impact: 3.4

Affected Packages4 packages

▶CVEListV5nodejs/undici< 5.28.4+1

▶NVDnodejs/undici6.0.0 — 6.11.1+1

▶Debiannode-undici< 5.28.4+dfsg1+~cs23.12.11-1+1

▶npmundici6.0.0 — 6.11.1+1

Also affects: Fedora 38, 39, 40

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline↗2024-04-04

▶

OSV

CVE-2024-30260: Undici is an HTTP/1↗2024-04-04

▶

GHSA

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline↗2024-04-04

▶

OSV

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline↗2024-04-04

▶

📋Vendor Advisories

Microsoft

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch request stream pipeline↗2024-04-09

▶

Red Hat

nodejs-undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline↗2024-04-04

▶

Debian

CVE-2024-30260: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared A...↗2024

▶