CVE-2024-24758

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.9 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
GitHub_MCNA
3.9 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
VendorProductVersion
nodejsundici
𝑥
< 5.28.3
nodejsundici
6.0.0 ≤
𝑥
< 6.6.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-undici
bookworm
no-dsa
bookworm (security)
vulnerable
trixie
7.3.0+dfsg1+~cs24.12.11-1
fixed
sid
7.3.0+dfsg1+~cs24.12.11-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-undici
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/03/11/1
https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef
https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
https://security.netapp.com/advisory/ntap-20240419-0007/
http://www.openwall.com/lists/oss-security/2024/03/11/1
https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef
https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
https://security.netapp.com/advisory/ntap-20240419-0007/