Undici HTTP Client Cookie Header Leak via Redirect (pre-5.26.2)
CVE-2023-45143 Published on October 12, 2023

Undici's cookie header not cleared on cross-origin redirect in fetch
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Github Repository NVD

Vulnerability Analysis

CVE-2023-45143 can be exploited with network access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2023-45143 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2023-45143

stack.watch emails you whenever new vulnerabilities are published in nodejs Undici or Fedora Project Fedora. Just hit a watch button to start following.

nodejs Undici
 
Fedora Project Fedora
 

Affected Versions

nodejs undici Version < 5.26.2 is affected by CVE-2023-45143

Vulnerable Packages

The following package name and versions may be associated with CVE-2023-45143

Package Manager Vulnerable Package Versions Fixed In
npm undici < 5.26.2 5.26.2

Exploit Probability

EPSS
0.11%
Percentile
28.63%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.