First published: Thu Apr 04 2024(Updated: )
### Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ### Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds use `fetch()` or disable `maxRedirections`. ### References Linzi Shang reported this. * https://hackerone.com/reports/2408074 * https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/undici | >=6.0.0<6.11.1 | 6.11.1 |
npm/undici | <5.28.4 | 5.28.4 |
IBM Cloud Pak for Security | <=1.10.0.0 - 1.10.11.0 | |
IBM QRadar Suite Software | <=1.10.12.0 - 1.10.23.0 | |
Nodejs Undici | <5.28.4 | |
Nodejs Undici | >=6.0.0<6.11.1 | |
Fedoraproject Fedora | =38 | |
Fedoraproject Fedora | =39 | |
Fedoraproject Fedora | =40 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.