Proxy-Authorization header not cleared on cross-origin redirect in fetch

Low

mcollina published GHSA-3787-6prv-h9w3

Feb 16, 2024

Package

undici (npm)

Affected versions

<= v5.28.2, >= v6.0.0 <= v6.6.0

Patched versions

v5.28.3, v6.6.1

Description

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

Severity

Low

3.9

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

High

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L