Fix CVE–2023–45143

[debricked]

CVE–2023–45143

Vulnerability details

Description

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

NVD

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

GitHub

Undici's cookie header not cleared on cross-origin redirect in fetch

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

CVSS details - 3.5

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User interaction	Required
Scope	Unchanged
Confidentiality	Low
Integrity	None
Availability	None

References

    Undici's cookie header not cleared on cross-origin redirect in fetch · CVE-2023-45143 · GitHub Advisory Database · GitHub
    NVD - CVE-2023-45143
    Merge pull request from GHSA-wqq4-5wpv-mx2g · nodejs/undici@e041de3 · GitHub
    Release v5.26.2 · nodejs/undici · GitHub
    Cookies uncleared on cross-host / cross-origin redirect · Advisory · nodejs/undici · GitHub
    HackerOne
    Cookie header not cleared on cross-origin redirect in fetch · Advisory · nodejs/undici · GitHub
    [SECURITY] Fedora 38 Update: nodejs18-18.18.2-1.fc38 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 37 Update: nodejs20-20.8.1-1.fc37 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 37 Update: nodejs18-18.18.2-1.fc37 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 38 Update: nodejs20-20.8.1-1.fc38 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 39 Update: nodejs18-18.18.2-1.fc39 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 39 Update: nodejs20-20.8.1-1.fc39 - package-announce - Fedora Mailing-Lists

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE