Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-m4v8-wqvr-p9f7

GitHub Security Advisory

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

### Impact

Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.

### Patches

This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75.
Fixes has been released in v5.28.4 and v6.11.1.

### Workarounds

use `fetch()` or disable `maxRedirections`.

### References

Linzi Shang reported this.

* https://hackerone.com/reports/2408074
* https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3

Affected Packages

npm undici
Affected versions: 0 (fixed in 5.28.4)
npm undici
Affected versions: 6.0.0 (fixed in 6.11.1)

Related CVEs

CVE-2024-30260

Key Information

GHSA ID
GHSA-m4v8-wqvr-p9f7
Published
April 4, 2024 2:20 PM
Last Modified
February 13, 2025 7:02 PM
CVSS Score
2.5 /10
Primary Ecosystem
npm
Primary Package
undici
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.