Undici is a popular HTTP/1.1 client used by many web developers in their Node.js applications. It is valued for its fast and lightweight performance, as well as ease of use. However, prior to version 5.26.2, Undici contained a security vulnerability that could lead to the accidental leakage of cookies to a third-party site or a potential attacker. In this post, we will discuss the details of CVE-2023-45143, the vulnerability in question, and provide code snippets, links to the original references, and details on the exploit and its patch.

The Vulnerability - Cookie Header Leakage (CVE-2023-45143)

Prior to Undici version 5.26.2, the client would clear Authorization headers on cross-origin redirects, but it did not clear Cookie headers. This is problematic because, by design, cookie headers are forbidden request headers and should not be set in RequestInit.headers in browser environments.

As a result, Undici's implementation of fetch did not align with the assumptions made by the spec, and this could lead to the accidental leakage of cookies to a third-party site or a malicious attacker who can control the redirection target (i.e. an open redirector) and then leak the cookie to a third-party site.

Here is a code snippet that demonstrates the vulnerability

const { request } = require('undici');

async function vulnerableFetch(url) {
  const response = await request(url, {
    headers: {
      'Authorization': 'Bearer your_token_here',
      'Cookie': 'cookie_name=cookie_value'
    }
  });

  // Process the response
}

In the code above, if the requested URL redirects to a different origin, the Authorization header will be cleared correctly, but the Cookie header will not. This can lead to the scenario mentioned previously, where cookies of one origin are sent to another, potentially malicious, origin.

The Patch - Version 5.26.2

This vulnerability was fixed in Undici version 5.26.2, which introduced a change to clear Cookie headers on cross-origin redirects. The new behavior ensures that both Authorization and Cookie headers are cleared, and thus aligns with the spec and mitigates the risk of accidental cookie leakage.

Developers should update to version 5.26.2 or later as soon as possible to protect their applications and users' data.

Here's a snippet of code that demonstrates the patched behavior in version 5.26.2 or later

const { request } = require('undici');

async function secureFetch(url) {
  const response = await request(url, {
    headers: {
      'Authorization': 'Bearer your_token_here',
      'Cookie': 'cookie_name=cookie_value'
    }
  });

  // Process the response, knowing that cross-origin redirects are now secure
}

With this change, Undici now correctly clears both Authorization and Cookie headers on cross-origin redirects, ensuring a safer and more secure browsing experience for users and developers alike.

For further details on CVE-2023-45143, consult the following resources

1. Original Undici Issue: Undici Issue #1305
2. Undici Pull Request for the Fix: Undici PR #1306
3. Undici Release Notes: Undici v5.26.2 Release
4. CVE Details: CVE-2023-45143

Conclusion

In summary, the Undici HTTP/1.1 client contained a cookie header leakage vulnerability, CVE-2023-45143, which was patched in version 5.26.2. To ensure the security of your web applications and users' data, it is crucial to keep your dependencies up-to-date and address vulnerabilities like this one as soon as possible. By staying informed, applying patches and updates promptly, and adhering to security best practices, developers can continue creating robust and secure web applications for their users.

Timeline

Published on: 10/12/2023 17:15:10 UTC
Last modified on: 11/03/2023 22:15:11 UTC