GHSA-3787-6prv-h9w3, CVE-2024-24758
npm/undici
Exposure of Sensitive Information to an Unauthorized Actor
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but does not clear Proxy-Authentication
headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
All versions up to 5.28.2, all versions starting from 6.0.0 up to 6.6.0
Upgrade to versions 5.28.3, 6.6.1 or above.
2024-02-19
source |