Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).

Published

2022-07-21T04:15:12.157

Last Modified

2024-11-21T07:04:00.370

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.7 (LOW)

Weaknesses

Type: Secondary
CWE-601
Type: Primary
CWE-346

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nodejs	undici	< 5.7.1	Yes

References

https://github.com/nodejs/undici/issues/872 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp Third Party Advisory ([email protected])
https://hackerone.com/reports/1635514 Permissions Required, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220909-0006/ Third Party Advisory ([email protected])
https://github.com/nodejs/undici/issues/872 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1635514 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220909-0006/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)