GHSA-wqq4-5wpv-mx2g
Undici's cookie header not cleared on cross-origin redirect in fetch
Details
### Impact
Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
### Patches
This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp [WEB]
- https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2023-45143 [ADVISORY]
- https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 [WEB]
- https://hackerone.com/reports/2166948 [WEB]
- https://github.com/nodejs/undici [PACKAGE]
- https://github.com/nodejs/undici/releases/tag/v5.26.2 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y [WEB]