CVE-2023-45143

LOW3.9EPSS 0.12%

Undici's cookie header not cleared on cross-origin redirect in fetch

Published: 10/16/2023Modified: 2/4/2026

Also known as:GHSA-wqq4-5wpv-mx2gALPINE-CVE-2023-45143

Description

### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2.

Affected packages (3)

Alpine/nodejsfrom 0, < 18.18.2-r0
Debian/node-undicifrom 0, < 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2
npm/undicifrom 0, < 5.26.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.9	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Description

Affected packages (3)

CVSS scores

References (15)