Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Low severity
GitHub Reviewed
Published
Apr 4, 2024
in
nodejs/undici
•
Updated
Apr 20, 2024
Affected versions
< 5.28.4
>= 6.0.0, < 6.11.1
Patched versions
5.28.4
6.11.1
Impact
Undici cleared Authorization and Proxy-Authorization headers for
fetch()
, but did not clear them for
undici.request()
.
Patches
This has been patched in
nodejs/undici@
6805746
.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
use
fetch()
or disable
maxRedirections
.
References
Linzi Shang reported this.
References
Published to the GitHub Advisory Database
Apr 4, 2024
Last updated
Apr 20, 2024
You can’t perform that action at this time.