First published: Thu Apr 04 2024(Updated: )
### Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ### Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds use `fetch()` or disable `maxRedirections`. ### References Linzi Shang reported this. * https://hackerone.com/reports/2408074 * https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/undici | >=6.0.0<6.11.1 | 6.11.1 |
npm/undici | <5.28.4 | 5.28.4 |
Node.js | <5.28.4 | |
Node.js | >=6.0.0<6.11.1 | |
Red Hat Fedora | =38 | |
Red Hat Fedora | =39 | |
Red Hat Fedora | =40 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-30260 is currently classified with a moderate severity level due to the potential exposure of sensitive headers.
To fix CVE-2024-30260, update the 'undici' package to version 6.11.1 or later.
CVE-2024-30260 affects IBM Cloud Pak for Security versions up to 1.10.11.0 and IBM QRadar Suite Software versions up to 1.10.23.0, among others.
The vulnerability in CVE-2024-30260 is in the 'undici' library, specifically affecting authorization and proxy-authorization headers.
Yes, the issue in CVE-2024-30260 has been patched in the commits made to the undici repository, and these patches have been released in newer versions.