{
  "canonical_id": "undici--CVE-2023-45143",
  "system_id": "undici",
  "display_name": "Undici",
  "category": "frameworks",
  "advisory_mode": "core",
  "title": "Undici's cookie header not cleared on cross-origin redirect in fetch",
  "summary": "### Impact\n\nUndici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.\n\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\n\n### Patches\n\nThis was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2.\n",
  "published_at": "2023-10-16T14:05:37Z",
  "updated_at": "2026-02-04T02:35:56.289390Z",
  "severity": "low",
  "cvss_score": 3.1,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
  "secondary_source_urls": [
    "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g",
    "https://nvd.nist.gov/vuln/detail/CVE-2023-45143",
    "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76",
    "https://hackerone.com/reports/2166948",
    "https://github.com/nodejs/undici",
    "https://github.com/nodejs/undici/releases/tag/v5.26.2",
    "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A",
    "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5",
    "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU",
    "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ",
    "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG",
    "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y"
  ],
  "aliases": [
    "CVE-2023-45143",
    "GHSA-wqq4-5wpv-mx2g"
  ],
  "cve_ids": [
    "CVE-2023-45143"
  ],
  "ghsa_ids": [
    "GHSA-wqq4-5wpv-mx2g"
  ],
  "osv_ids": [
    "GHSA-wqq4-5wpv-mx2g"
  ],
  "affected_versions": [
    "introduced=0, fixed<5.26.2"
  ],
  "fixed_versions": [
    "5.26.2"
  ],
  "package_name": "undici",
  "render_markdown": true,
  "case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2023-45143.md",
  "secure_code_topics": [
    "ssrf-url-validation",
    "proxy-trust-boundary",
    "token-cookie-storage"
  ],
  "status": "generated",
  "triage_reasons": [],
  "metadata": {
    "source_names": [
      "OSV Undici"
    ],
    "source_kinds": [
      "osv-batch"
    ],
    "candidate_count": 1
  }
}