CVE-2023-45143 : Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Published 2023-10-12 17:15:10

Updated 2024-02-16 16:09:02

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2023-45143

Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 38
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 39
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Matching versions
Nodejs » Undici » For Node.js
Versions before (<) 5.26.2
cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-45143

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 24 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-45143

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N	2.1	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
3.9	LOW	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L	0.5	3.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low
3.9	LOW	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L	N/A	N/A	RedHat-CVE-2023-45143
Attack Vector: Network Attack Complexity: High Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low

CWE ids for CVE-2023-45143

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-45143

https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76

Merge pull request from GHSA-wqq4-5wpv-mx2g · nodejs/undici@e041de3 · GitHub
Patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/

[SECURITY] Fedora 39 Update: nodejs20-20.8.1-1.fc39 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/

[SECURITY] Fedora 37 Update: nodejs18-18.18.2-1.fc37 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/

[SECURITY] Fedora 38 Update: nodejs18-18.18.2-1.fc38 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/

[SECURITY] Fedora 39 Update: nodejs18-18.18.2-1.fc39 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/

[SECURITY] Fedora 37 Update: nodejs20-20.8.1-1.fc37 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://hackerone.com/reports/2166948

Sign in | HackerOne
Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/

[SECURITY] Fedora 38 Update: nodejs20-20.8.1-1.fc38 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/nodejs/undici/releases/tag/v5.26.2

Release v5.26.2 · nodejs/undici · GitHub
Release Notes
https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g

Cookie header not cleared on cross-origin redirect in fetch · Advisory · nodejs/undici · GitHub
Vendor Advisory
https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp

Cookies uncleared on cross-host / cross-origin redirect · Advisory · nodejs/undici · GitHub
Not Applicable

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-45143

Products affected by CVE-2023-45143

Exploit prediction scoring system (EPSS) score for CVE-2023-45143

CVSS scores for CVE-2023-45143

CWE ids for CVE-2023-45143

References for CVE-2023-45143