Low severityNVD Advisory· Published Feb 16, 2024· Updated Feb 13, 2025
Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici
CVE-2024-24758
Description
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 5.28.3 | 5.28.3 |
undicinpm | >= 6.0.0, < 6.6.1 | 6.6.1 |
Affected products
1Patches
2b9da3e40f1f0Merge pull request from GHSA-3787-6prv-h9w3
2 files changed · +7 −2
lib/fetch/index.js+3 −0 modified@@ -1326,6 +1326,9 @@ function httpRedirectFetch (fetchParams, response) { // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name request.headersList.delete('authorization', true) + // https://fetch.spec.whatwg.org/#authentication-entries + request.headersList.delete('proxy-authorization', true) + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. request.headersList.delete('cookie', true) request.headersList.delete('host', true)
test/fetch/redirect-cross-origin-header.js+4 −2 modified@@ -7,11 +7,12 @@ const { once } = require('node:events') const { fetch } = require('../..') test('Cross-origin redirects clear forbidden headers', async (t) => { - const { strictEqual } = tspl(t, { plan: 5 }) + const { strictEqual } = tspl(t, { plan: 6 }) const server1 = createServer((req, res) => { strictEqual(req.headers.cookie, undefined) strictEqual(req.headers.authorization, undefined) + strictEqual(req.headers['proxy-authorization'], undefined) res.end('redirected') }).listen(0) @@ -40,7 +41,8 @@ test('Cross-origin redirects clear forbidden headers', async (t) => { const res = await fetch(`http://localhost:${server2.address().port}`, { headers: { Authorization: 'test', - Cookie: 'ddd=dddd' + Cookie: 'ddd=dddd', + 'Proxy-Authorization': 'test' } })
d3aa574b1259Merge pull request from GHSA-3787-6prv-h9w3
2 files changed · +7 −2
lib/fetch/index.js+3 −0 modified@@ -1203,6 +1203,9 @@ function httpRedirectFetch (fetchParams, response) { // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name request.headersList.delete('authorization') + // https://fetch.spec.whatwg.org/#authentication-entries + request.headersList.delete('proxy-authorization', true) + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. request.headersList.delete('cookie') request.headersList.delete('host')
test/fetch/redirect-cross-origin-header.js+4 −2 modified@@ -6,11 +6,12 @@ const { once } = require('events') const { fetch } = require('../..') test('Cross-origin redirects clear forbidden headers', async (t) => { - t.plan(5) + t.plan(6) const server1 = createServer((req, res) => { t.equal(req.headers.cookie, undefined) t.equal(req.headers.authorization, undefined) + t.equal(req.headers['proxy-authorization'], undefined) res.end('redirected') }).listen(0) @@ -39,7 +40,8 @@ test('Cross-origin redirects clear forbidden headers', async (t) => { const res = await fetch(`http://localhost:${server2.address().port}`, { headers: { Authorization: 'test', - Cookie: 'ddd=dddd' + Cookie: 'ddd=dddd', + 'Proxy-Authorization': 'test' } })
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-3787-6prv-h9w3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24758ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/03/11/1ghsaWEB
- github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434efghsax_refsource_MISCWEB
- github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458ghsaWEB
- github.com/nodejs/undici/releases/tag/v5.28.3ghsaWEB
- github.com/nodejs/undici/releases/tag/v6.6.1ghsaWEB
- github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20240419-0007ghsaWEB
- security.netapp.com/advisory/ntap-20240419-0007/mitre
News mentions
0No linked articles in our index yet.