{"api_version":"1","generated_at":"2026-04-22T23:23:05+00:00","cve":"CVE-2023-45143","urls":{"html":"https://cve.report/CVE-2023-45143","api":"https://cve.report/api/cve/CVE-2023-45143.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-45143","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-45143"},"summary":{"title":"CVE-2023-45143","description":"Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-10-12 17:15:00","updated_at":"2023-11-03 22:15:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76","name":"https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-wqq4-5wpv-mx2g · nodejs/undici@e041de3 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://hackerone.com/reports/2166948","name":"https://hackerone.com/reports/2166948","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: nodejs18-18.18.2-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 39 Update: nodejs18-18.18.2-1.fc39 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp","name":"https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp","refsource":"MISC","tags":[],"title":"Cookies uncleared on cross-host / cross-origin redirect · Advisory · nodejs/undici · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: nodejs18-18.18.2-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/nodejs/undici/releases/tag/v5.26.2","name":"https://github.com/nodejs/undici/releases/tag/v5.26.2","refsource":"MISC","tags":[],"title":"Release v5.26.2 · nodejs/undici · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: nodejs20-20.8.1-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: nodejs20-20.8.1-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g","name":"https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g","refsource":"MISC","tags":[],"title":"Cookie header not cleared on cross-origin redirect in fetch · Advisory · nodejs/undici · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 39 Update: nodejs20-20.8.1-1.fc39 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-45143","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45143","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"undici","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-45143","qid":"161007","title":"Oracle Enterprise Linux Security Update for 18 (ELSA-2023-5849)"},{"cve":"CVE-2023-45143","qid":"161010","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2023-5869)"},{"cve":"CVE-2023-45143","qid":"161192","title":"Oracle Enterprise Linux Security Update for nodejs:20 (ELSA-2023-7205)"},{"cve":"CVE-2023-45143","qid":"242376","title":"Red Hat Update for nodejs:18 (RHSA-2023:5849)"},{"cve":"CVE-2023-45143","qid":"242385","title":"Red Hat Update for nodejs:18 (RHSA-2023:5869)"},{"cve":"CVE-2023-45143","qid":"242429","title":"Red Hat Update for nodejs:20 (RHSA-2023:7205)"},{"cve":"CVE-2023-45143","qid":"284660","title":"Fedora Security Update for nodejs18 (FEDORA-2023-d5030c983c)"},{"cve":"CVE-2023-45143","qid":"284672","title":"Fedora Security Update for nodejs20 (FEDORA-2023-f66fc0f62a)"},{"cve":"CVE-2023-45143","qid":"284673","title":"Fedora Security Update for nodejs20 (FEDORA-2023-4d2fd884ea)"},{"cve":"CVE-2023-45143","qid":"284674","title":"Fedora Security Update for nodejs18 (FEDORA-2023-e9c04d81c1)"},{"cve":"CVE-2023-45143","qid":"285187","title":"Fedora Security Update for nodejs20 (FEDORA-2023-7b52921cae)"},{"cve":"CVE-2023-45143","qid":"285188","title":"Fedora Security Update for nodejs18 (FEDORA-2023-dbe64661af)"},{"cve":"CVE-2023-45143","qid":"296106","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 64.157.2 Missing (CPUOCT2023)"},{"cve":"CVE-2023-45143","qid":"356619","title":"Amazon Linux Security Advisory for nodejs : ALAS2023-2023-412"},{"cve":"CVE-2023-45143","qid":"378951","title":"Node.js Multiple Security Vulnerabilties (October 13, 2023 Security Release)"},{"cve":"CVE-2023-45143","qid":"503388","title":"Alpine Linux Security Update for nodejs-current"},{"cve":"CVE-2023-45143","qid":"503389","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2023-45143","qid":"505901","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2023-45143","qid":"506129","title":"Alpine Linux Security Update for nodejs-current"},{"cve":"CVE-2023-45143","qid":"510683","title":"Alpine Linux Security Update for openjdk21"},{"cve":"CVE-2023-45143","qid":"755122","title":"SUSE Enterprise Linux Security Update for nodejs18 (SUSE-SU-2023:4133-1)"},{"cve":"CVE-2023-45143","qid":"755131","title":"SUSE Enterprise Linux Security Update for nodejs18 (SUSE-SU-2023:4155-1)"},{"cve":"CVE-2023-45143","qid":"755167","title":"SUSE Enterprise Linux Security Update for nodejs18 (SUSE-SU-2023:4207-1)"},{"cve":"CVE-2023-45143","qid":"907479","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs18 (31338)"},{"cve":"CVE-2023-45143","qid":"907518","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs18 (31338-1)"},{"cve":"CVE-2023-45143","qid":"941306","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:5869)"},{"cve":"CVE-2023-45143","qid":"941309","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:5849)"},{"cve":"CVE-2023-45143","qid":"941479","title":"AlmaLinux Security Update for nodejs:20 (ALSA-2023:7205)"},{"cve":"CVE-2023-45143","qid":"961085","title":"Rocky Linux Security Update for nodejs:20 (RLSA-2023:7205)"},{"cve":"CVE-2023-45143","qid":"995583","title":"NodeJs (Npm) Security Update for undici (GHSA-wqq4-5wpv-mx2g)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-45143","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","cweId":"CWE-200"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"nodejs","product":{"product_data":[{"product_name":"undici","version":{"version_data":[{"version_affected":"=","version_value":"< 5.26.2"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g","refsource":"MISC","name":"https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g"},{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp","refsource":"MISC","name":"https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"},{"url":"https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76","refsource":"MISC","name":"https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76"},{"url":"https://hackerone.com/reports/2166948","refsource":"MISC","name":"https://hackerone.com/reports/2166948"},{"url":"https://github.com/nodejs/undici/releases/tag/v5.26.2","refsource":"MISC","name":"https://github.com/nodejs/undici/releases/tag/v5.26.2"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"}]},"source":{"advisory":"GHSA-wqq4-5wpv-mx2g","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":3.9,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L","version":"3.1"}]}},"nvd":{"publishedDate":"2023-10-12 17:15:00","lastModifiedDate":"2023-11-03 22:15:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":3.5,"baseSeverity":"LOW"},"exploitabilityScore":2.1,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*","versionEndExcluding":"5.26.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}