CVE-2023-45143

LOW3.9EPSS 0.12%

Undici's cookie header not cleared on cross-origin redirect in fetch

發布日:2023/10/16修改日:2026/2/4

也稱為:GHSA-wqq4-5wpv-mx2gALPINE-CVE-2023-45143

描述

### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2.

受影響套件(3)

Alpine/nodejsfrom 0, < 18.18.2-r0
Debian/node-undicifrom 0, < 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2
npm/undicifrom 0, < 5.26.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW3.9	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

描述

受影響套件(3)

CVSS 分數

參考連結(15)