Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici
already cleared Authorization headers on cross-origin redirects, but did
not clear Proxy-Authentication
headers. This issue has been patched in
versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known
workarounds for this vulnerability.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 23.10 | noarch | node-undici | < any | UNKNOWN |
ubuntu | 24.04 | noarch | node-undici | < any | UNKNOWN |
github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef
github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef (v6.6.1)
github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458 (v5.28.3)
github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
launchpad.net/bugs/cve/CVE-2024-24758
nvd.nist.gov/vuln/detail/CVE-2024-24758
security-tracker.debian.org/tracker/CVE-2024-24758
www.cve.org/CVERecord?id=CVE-2024-24758