LOW 3.9
GHSA-3787-6prv-h9w3
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
Details
### Impact
Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers.
### Patches
This is patched in v5.28.3 and v6.6.1
### Workarounds
There are no known workarounds.
### References
- https://fetch.spec.whatwg.org/#authentication-entries - https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-24758 [ADVISORY]
- https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef [WEB]
- https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458 [WEB]
- https://github.com/nodejs/undici [PACKAGE]
- https://github.com/nodejs/undici/releases/tag/v5.28.3 [WEB]
- https://github.com/nodejs/undici/releases/tag/v6.6.1 [WEB]
- https://security.netapp.com/advisory/ntap-20240419-0007 [WEB]
- http://www.openwall.com/lists/oss-security/2024/03/11/1 [WEB]