{
  "canonical_id": "undici--CVE-2022-31151",
  "system_id": "undici",
  "display_name": "Undici",
  "category": "frameworks",
  "advisory_mode": "core",
  "title": "undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect",
  "summary": "### Impact\n\nAuthorization headers are already cleared on cross-origin redirect in\nhttps://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.\n\nHowever, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\n\n### Patches\n\nThis was patched in v5.8.0.\n\n### Workarounds\n\nBy default, this vulnerability is not exploitable.\nDo not enable redirections, i.e. `maxRedirections: 0` (the default). \n\n### References\n\nhttps://hackerone.com/reports/1635514\nhttps://curl.se/docs/CVE-2018-1000007.html\nhttps://curl.se/docs/CVE-2022-27776.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n* To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\n",
  "published_at": "2022-07-21T20:31:05Z",
  "updated_at": "2026-02-04T03:02:08.652391Z",
  "severity": "low",
  "cvss_score": 3.1,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
  "secondary_source_urls": [
    "https://nvd.nist.gov/vuln/detail/CVE-2022-31151",
    "https://github.com/nodejs/undici/issues/872",
    "https://github.com/nodejs/undici/pull/1441",
    "https://github.com/nodejs/undici/commit/0a5bee9465e627be36bac88edf7d9bbc9626126d",
    "https://hackerone.com/reports/1635514",
    "https://github.com/nodejs/undici",
    "https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189",
    "https://github.com/nodejs/undici/releases/tag/v5.8.0",
    "https://security.netapp.com/advisory/ntap-20220909-0006"
  ],
  "aliases": [
    "CVE-2022-31151",
    "GHSA-q768-x9m6-m9qp"
  ],
  "cve_ids": [
    "CVE-2022-31151"
  ],
  "ghsa_ids": [
    "GHSA-q768-x9m6-m9qp"
  ],
  "osv_ids": [
    "GHSA-q768-x9m6-m9qp"
  ],
  "affected_versions": [
    "introduced=0, fixed<5.8.0"
  ],
  "fixed_versions": [
    "5.8.0"
  ],
  "package_name": "undici",
  "render_markdown": true,
  "case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2022-31151.md",
  "secure_code_topics": [
    "ssrf-url-validation",
    "proxy-trust-boundary",
    "token-cookie-storage",
    "dependency-upgrade-policy"
  ],
  "status": "generated",
  "triage_reasons": [],
  "metadata": {
    "source_names": [
      "OSV Undici"
    ],
    "source_kinds": [
      "osv-batch"
    ],
    "candidate_count": 1
  }
}