CVE-2024-24758 LOW

CVE-2024-24758: Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici

Vendor Nodejs
Product undici
Weakness CWE-200 · Info exposure
Published February 16, 2024
Last update February 13, 2025

CVSS base score

3.9/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

February 16, 2024 CVE published
February 13, 2025 Record updated