Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
nodejs/undici (undici)
### [`v5.26.2`](https://togithub.com/nodejs/undici/releases/tag/v5.26.2)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.1...v5.26.2)
Security Release, CVE-2023-45143.
### [`v5.26.1`](https://togithub.com/nodejs/undici/releases/tag/v5.26.1)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.0...v5.26.1)
#### What's Changed
- Fix publish undici-types once and for all! by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2338](https://togithub.com/nodejs/undici/pull/2338)
- Fix node detection omfg by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2341](https://togithub.com/nodejs/undici/pull/2341)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1
### [`v5.26.0`](https://togithub.com/nodejs/undici/releases/tag/v5.26.0)
[Compare Source](https://togithub.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0)
#### What's Changed
- use npm install instead of npm ci by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://togithub.com/nodejs/undici/pull/2309)
- change default header to `node` by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://togithub.com/nodejs/undici/pull/2310)
- chore: change order of the pseudo-headers by [@kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308)
- fix: Agent.Options.factory should accept URL object or string as parameter by [@nicole0707](https://togithub.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295)
- build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://togithub.com/nodejs/undici/pull/2312)
- test: handle npm ignore-scripts settings by [@panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://togithub.com/nodejs/undici/pull/2313)
- feat: respect `--max-http-header-size` Node.js flag by [@balazsorban44](https://togithub.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234)
- fix([#2311](https://togithub.com/nodejs/undici/issues/2311)): End stream after body sent by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://togithub.com/nodejs/undici/pull/2314)
- disallow setting host header in fetch by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://togithub.com/nodejs/undici/pull/2322)
- \[StepSecurity] ci: Harden GitHub Actions by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://togithub.com/nodejs/undici/pull/2325)
- fix fetch with coverage enabled by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://togithub.com/nodejs/undici/pull/2330)
- Fix stuck when using http2 POST Buffer by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336)
- fix: 🏷️ add allowH2 to BuildOptions by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://togithub.com/nodejs/undici/pull/2334)
- fix: 🐛 fix process http2 header by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://togithub.com/nodejs/undici/pull/2332)
#### New Contributors
- [@kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308)
- [@nicole0707](https://togithub.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295)
- [@balazsorban44](https://togithub.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234)
- [@binsee](https://togithub.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.23.4...v5.26.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
5.25.4
->5.26.2
GitHub Vulnerability Alerts
CVE-2023-45143
Impact
Undici clears Authorization headers on cross-origin redirects, but does not clear
Cookie
headers. By design,cookie
headers are forbidden request headers, disallowing them to be set inRequestInit.headers
in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
Release Notes
nodejs/undici (undici)
### [`v5.26.2`](https://togithub.com/nodejs/undici/releases/tag/v5.26.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.1...v5.26.2) Security Release, CVE-2023-45143. ### [`v5.26.1`](https://togithub.com/nodejs/undici/releases/tag/v5.26.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.0...v5.26.1) #### What's Changed - Fix publish undici-types once and for all! by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2338](https://togithub.com/nodejs/undici/pull/2338) - Fix node detection omfg by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2341](https://togithub.com/nodejs/undici/pull/2341) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1 ### [`v5.26.0`](https://togithub.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://togithub.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://togithub.com/nodejs/undici/pull/2309) - change default header to `node` by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://togithub.com/nodejs/undici/pull/2310) - chore: change order of the pseudo-headers by [@kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308) - fix: Agent.Options.factory should accept URL object or string as parameter by [@nicole0707](https://togithub.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295) - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://togithub.com/nodejs/undici/pull/2312) - test: handle npm ignore-scripts settings by [@panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://togithub.com/nodejs/undici/pull/2313) - feat: respect `--max-http-header-size` Node.js flag by [@balazsorban44](https://togithub.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234) - fix([#2311](https://togithub.com/nodejs/undici/issues/2311)): End stream after body sent by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://togithub.com/nodejs/undici/pull/2314) - disallow setting host header in fetch by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://togithub.com/nodejs/undici/pull/2322) - \[StepSecurity] ci: Harden GitHub Actions by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://togithub.com/nodejs/undici/pull/2325) - fix fetch with coverage enabled by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://togithub.com/nodejs/undici/pull/2330) - Fix stuck when using http2 POST Buffer by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336) - fix: 🏷️ add allowH2 to BuildOptions by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://togithub.com/nodejs/undici/pull/2334) - fix: 🐛 fix process http2 header by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://togithub.com/nodejs/undici/pull/2332) #### New Contributors - [@kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308) - [@nicole0707](https://togithub.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295) - [@balazsorban44](https://togithub.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234) - [@binsee](https://togithub.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.23.4...v5.26.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.