CVE-2024-30260

LOW

Nodejs Undici < 5.28.4 - Incorrect Authorization

Title source: rule

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

References (7)

Core 7

Core References

Product

https://lists.fedoraproject.org/archives/list/[email protected]/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/

Product

https://lists.fedoraproject.org/archives/list/[email protected]/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/

Product

https://lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240905-0008/

Patch, Vendor Advisory x_refsource_confirm

https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7

Patch x_refsource_misc

https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75

Scores

CVSS v3 3.9

EPSS 0.0018

EPSS Percentile 38.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-863

Status published

Products (5)

fedoraproject/fedora 38

fedoraproject/fedora 39

fedoraproject/fedora 40

nodejs/undici < 5.28.4

npm/undici 0 - 5.28.4npm

Published Apr 04, 2024

Tracked Since Feb 18, 2026