CVE-2024-24758
Credential Leakage vulnerability in undici (npm)
What is CVE-2024-24758 About?
Undici versions prior to v5.28.3 and v6.6.1 contain a credential leakage vulnerability where `Proxy-Authorization` headers are not cleared on cross-origin redirects. This flaw can expose sensitive proxy credentials to third parties, making it a moderately easy exploit if a client application uses Undici and is configured with `Proxy-Authorization` headers when performing cross-origin redirects.
Affected Software
- undici
- >6.0.0, <6.6.1
- <5.28.3
Technical Details
The vulnerability in Undici concerns its handling of Proxy-Authorization headers during cross-origin redirects. While Authorization headers are correctly cleared to prevent their leakage to unintended origins, Proxy-Authorization headers are erroneously retained. This means that if an Undici client makes a request to an origin that then redirects to a different, potentially untrusted, origin, the Proxy-Authorization header (which may contain sensitive credentials) is sent along with the redirected request. An attacker controlling the destination of such a redirect can then capture these proxy credentials, compromising the client's proxy authentication information.
What is the Impact of CVE-2024-24758?
Successful exploitation may allow attackers to obtain sensitive `Proxy-Authorization` header credentials, potentially leading to unauthorized access to internal network resources or further attacks.
What is the Exploitability of CVE-2024-24758?
Exploitation requires an Undici client to initiate a request to an endpoint that issues a cross-origin redirect. The attacker must control the redirect target to capture the Proxy-Authorization header. No authentication is required for the attacker, but the victim client must have Proxy-Authorization headers configured. This is a remote vulnerability. The complexity is low to moderate. The likelihood of exploitation is heightened in environments where Undici is used to interact with external services and where proxies requiring authentication are common, especially if redirects are handled without careful scrutiny of header forwarding.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-24758?
Available Upgrade Options
- undici
- <5.28.3 → Upgrade to 5.28.3
- undici
- >6.0.0, <6.6.1 → Upgrade to 6.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://nvd.nist.gov/vuln/detail/CVE-2024-24758
- https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458
- https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
- https://github.com/nodejs/undici
- https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef
- https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef
- https://github.com/nodejs/undici/releases/tag/v6.6.1
What are Similar Vulnerabilities to CVE-2024-24758?
Similar Vulnerabilities: CVE-2024-28849 , CVE-2023-43644 , CVE-2022-24765 , CVE-2021-37704 , CVE-2020-15104
