All the vulnerabilities related to the version 2.10.0 of the package
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.
This is patched in v5.28.3 and v6.6.1
There are no known workarounds.
CRLF Injection in Nodejs ‘undici’ via host
undici library does not protect host HTTP header from CRLF injection vulnerabilities.
This issue was patched in Undici v5.19.1.
Sanitize the headers.host string before passing to undici.
Reported at https://hackerone.com/reports/1820955.
Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.
Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.
Ensure that integrity cannot be tampered with.
https://hackerone.com/reports/2377760
Use of Insufficiently Random Values in undici
Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.
If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.
This is fixed in 5.28.5; 6.21.1; 7.2.3.
Do not issue multipart requests to attacker controlled servers.
undici Denial of Service attack via bad certificate data
Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.
This has been patched in https://github.com/nodejs/undici/pull/4088.
If a webhook fails, avoid keep calling it repeatedly.
Reported as: https://github.com/nodejs/undici/issues/3895
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().
This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.
use fetch() or disable maxRedirections.
Linzi Shang reported this.
Regular Expression Denial of Service in Headers
The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.
This vulnerability was patched in v5.19.1.
There is no workaround. Please update to an unaffected version.
Carter Snook reported this vulnerability.
Undici's cookie header not cleared on cross-origin redirect in fetch
Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
