CVE-2023-45143
Information Exposure vulnerability in undici (npm)
What is CVE-2023-45143 About?
This Undici vulnerability is an Information Exposure issue where `Cookie` headers are not cleared on cross-origin redirects, unlike `Authorization` headers. This can lead to sensitive cookie data being leaked to third-party sites or malicious attackers. Its exploitation relies on an attacker controlling a redirection target.
Affected Software
Technical Details
The Undici library, designed to handle HTTP requests, fails to clear Cookie headers during cross-origin redirects, while it correctly clears Authorization headers. This behavior deviates from standard browser fetch API specifications, which typically restrict setting Cookie headers in RequestInit.headers. Due to Undici's more liberal handling, an attacker can control a redirection target (e.g., an open redirector) and leverage this oversight to cause the victim's browser to send their Cookie header to an unintended third-party site, thereby leaking sensitive session information or authentication tokens.
What is the Impact of CVE-2023-45143?
Successful exploitation may allow attackers to obtain sensitive information, primarily user session cookies, leading to session hijacking, unauthorized access to user accounts, or further reconnaissance.
What is the Exploitability of CVE-2023-45143?
Exploitation of this vulnerability has moderate complexity. It requires an attacker to control a redirection target, such as an open redirector, to redirect a user to a malicious third-party site. There are no specific authentication or privilege requirements to trigger the redirect. The vulnerability is remote, as it relies on a user making a request that passes through the vulnerable Undici instance and then gets redirected. The primary risk is the presence of open redirectors in web applications or instances where an attacker can sufficiently influence redirect logic. The act of exploitation typically involves a user clicking a crafted link or interacting with a malicious webpage.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-45143?
Available Upgrade Options
- undici
- <5.26.2 → Upgrade to 5.26.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/reports/2166948
- https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
- https://nvd.nist.gov/vuln/detail/CVE-2023-45143
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
- https://github.com/nodejs/undici/releases/tag/v5.26.2
- https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76
- https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG
What are Similar Vulnerabilities to CVE-2023-45143?
Similar Vulnerabilities: CVE-2023-39325 , CVE-2023-44270 , CVE-2022-48590 , CVE-2023-38407 , CVE-2023-32002
