CVE-2023-45143 : Security Advisory and Response
Undici HTTP/1.1 client in Node.js prior to v5.26.2 allows sensitive cookie data leakage on cross-origin fetch redirects. Learn how to mitigate this security risk.
Undici's cookie header not cleared on cross-origin redirect in fetch.
Understanding CVE-2023-45143
This CVE affects Undici, an HTTP/1.1 client for Node.js, where a vulnerability existed in versions prior to 5.26.2 that allowed sensitive cookie information leakage on cross-origin redirects in the fetch process.
What is CVE-2023-45143?
Undici, a Node.js library, failed to clear
CookieThe Impact of CVE-2023-45143
The vulnerability could result in the exposure of sensitive cookie information to attackers, posing a risk of unauthorized access to user data and potential privacy breaches.
Technical Details of CVE-2023-45143
Undici's vulnerability description, affected systems, and exploitation mechanism.
Vulnerability Description
Undici did not clear
CookieAffected Systems and Versions
Undici versions prior to 5.26.2 are affected by this vulnerability, potentially impacting systems that use these vulnerable versions.
Exploitation Mechanism
By controlling the redirection target, attackers could exploit this vulnerability to leak cookie information to unauthorized third-party sites.
Mitigation and Prevention
Steps to address the CVE-2023-45143 issue and prevent future vulnerabilities.
Immediate Steps to Take
Users are advised to update Undici to version 5.26.2 or newer to mitigate the vulnerability and prevent unauthorized access to sensitive cookie data.
Long-Term Security Practices
Implementing strict header handling practices and monitoring for security updates can help maintain a secure environment for Node.js applications.
Patching and Updates
Regularly applying patches and staying informed about security advisories from Node.js can protect systems from known vulnerabilities and ensure a secure software environment.