Main Vulnerability Database Vulnerabilities #VU88177

#VU88177 Information disclosure in undici - CVE-2024-30260

Published: April 5, 2024

Vulnerability identifier: #VU88177

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-30260

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
undici

Software vendor:
Node.js

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application clears Authorization and Proxy-Authorization headers during cross-origin redirects for the fetch() method, however does not clear them for the undici.request() method, which can leak sensitive information to an unauthorized party.

Remediation

Install updates from vendor's website.

External links

https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75

#VU88177 Information disclosure in undici - CVE-2024-30260

Description

Remediation

External links

Please verify you're human