CVE-2024-24758

Exposure of Sensitive Information to an Unauthorized Actor in npm/undici

Identifiers

GHSA-3787-6prv-h9w3, CVE-2024-24758

Package Slug

npm/undici

Vulnerability

Exposure of Sensitive Information to an Unauthorized Actor

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but does not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Versions

All versions up to 5.28.2, all versions starting from 6.0.0 up to 6.6.0

Solution

Upgrade to versions 5.28.3, 6.6.1 or above.

Last Modified

2024-02-19

source