Low severityNVD Advisory· Published Jul 20, 2022· Updated Apr 22, 2025
Uncleared cookies on cross-host/cross-origin redirect in undici
CVE-2022-31151
Description
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. maxRedirections: 0 (the default).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 5.8.0 | 5.8.0 |
Affected products
2Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-q768-x9m6-m9qpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31151ghsaADVISORY
- github.com/nodejs/undici/blob/main/lib/handler/redirect.jsghsaWEB
- github.com/nodejs/undici/commit/0a5bee9465e627be36bac88edf7d9bbc9626126dghsaWEB
- github.com/nodejs/undici/issues/872ghsax_refsource_MISCWEB
- github.com/nodejs/undici/pull/1441ghsaWEB
- github.com/nodejs/undici/releases/tag/v5.8.0ghsaWEB
- github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qpghsax_refsource_CONFIRMWEB
- hackerone.com/reports/1635514ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220909-0006ghsaWEB
- security.netapp.com/advisory/ntap-20220909-0006/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.