What is CVE-2023-45143?

CVE-2023-45143 is a vulnerability in the Undici HTTP/1.1 client for Node.js version 5.26.2 and earlier.

How can I fix CVE-2023-45143?

To fix CVE-2023-45143, upgrade to Undici version 5.26.2 or later.

What is the severity of CVE-2023-45143?

CVE-2023-45143 has a severity rating of 3.9 (low).

Where can I find more information about CVE-2023-45143?

You can find more information about CVE-2023-45143 in the references provided on the GitHub page for Undici.

Vulnerability/
CVE-2023-45143

low

3.9

CWE

200

12/10/2023

16/10/2023

16/2/2024

CVE-2023-45143: Undici's cookie header not cleared on cross-origin redirect in fetch

Q: What is the impact of CVE-2023-45143?

The impact of CVE-2023-45143 is that Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers, which could potentially lead to security breaches.

First published: Thu Oct 12 2023(Updated: )

### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Nodejs Undici	<5.26.2
npm/undici	<5.26.2	5.26.2
redhat/node-undici	<5.26.2	5.26.2
Fedoraproject Fedora	=37
Fedoraproject Fedora	=38
Fedoraproject Fedora	=39

Remedy

https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7096365

Frequently Asked Questions

What is CVE-2023-45143?
CVE-2023-45143 is a vulnerability in the Undici HTTP/1.1 client for Node.js version 5.26.2 and earlier.
What is the impact of CVE-2023-45143?
The impact of CVE-2023-45143 is that Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers, which could potentially lead to security breaches.
How can I fix CVE-2023-45143?
To fix CVE-2023-45143, upgrade to Undici version 5.26.2 or later.
What is the severity of CVE-2023-45143?
CVE-2023-45143 has a severity rating of 3.9 (low).
Where can I find more information about CVE-2023-45143?
You can find more information about CVE-2023-45143 in the references provided on the GitHub page for Undici.

collector/nvd-index
collector/mitre-cve
agent/type
agent/first-publish-date
collector/ibm-support
source/IBM
agent/author
agent/weakness
agent/title
agent/remedy
agent/severity
agent/event
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-45143
agent/software-canonical-lookup
agent/description
collector/github-advisory-latest
source/GitHub
alias/GHSA-wqq4-5wpv-mx2g
agent/references
agent/last-modified-date
collector/nvd-cve
source/NVD
agent/softwarecombine
collector/nvd-api
agent/tags
collector/github-advisory
vendor/nodejs
canonical/nodejs undici
package-manager/redhat
package-manager/npm
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/37
version/fedoraproject fedora/38
version/fedoraproject fedora/39