CVE-2023-45143 Overview
CVE-2023-45143 is an Information Leakage vulnerability in Undici, the HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici cleared Authorization headers on cross-origin redirects but failed to clear Cookie headers, potentially exposing sensitive session data to third-party sites.
Critical Impact
Cookie headers may be leaked to third-party sites during cross-origin redirects, enabling session hijacking or credential theft when an attacker controls the redirect target.
Affected Products
- Node.js Undici versions prior to 5.26.2
- Fedora 37
- Fedora 38
- Fedora 39
Discovery Timeline
- 2023-10-12 - CVE-2023-45143 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-45143
Vulnerability Analysis
This vulnerability stems from an inconsistency between the Fetch specification and Undici's implementation of HTTP header handling during cross-origin redirects. While browsers treat Cookie headers as forbidden request headers (disallowing them in RequestInit.headers), Undici handles headers more liberally than the specification dictates.
When a request is redirected to a different origin, Undici properly cleared the Authorization header to prevent credential leakage. However, the Cookie header was not cleared in the same manner, creating a gap where session cookies intended for the original domain could be inadvertently sent to a different domain.
This disconnect between specification assumptions and Undici's implementation creates a scenario where cookies leak to unintended recipients, particularly dangerous when:
- An open redirector vulnerability exists on the original domain
- An attacker can manipulate redirect targets
- The application makes fetch requests that follow redirects across origins
Root Cause
The root cause is incomplete implementation of cross-origin redirect security controls in Undici's fetch implementation. While the Authorization header was properly sanitized on cross-origin redirects per the Fetch specification, the implementation overlooked the Cookie and Host headers. In browser environments, these headers are forbidden request headers and cannot be set manually, but Undici's more permissive header handling allowed them to persist across redirect boundaries.
Attack Vector
The attack vector is network-based, requiring user interaction where a victim's application using Undici makes a fetch request that gets redirected to an attacker-controlled domain. An attacker could exploit this by:
- Identifying an open redirector on a trusted domain
- Crafting a malicious URL that redirects to an attacker-controlled server
- Tricking the victim application into making a request to the open redirector
- Capturing the leaked cookies on the attacker's server
if (!sameOrigin(requestCurrentURL(request), locationURL)) {
// https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
request.headersList.delete('authorization')
+ // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
+ request.headersList.delete('cookie')
+ request.headersList.delete('host')
}
// 14. If request's body is non-null, then set request's body to the first return
Source: GitHub Commit e041de3
Detection Methods for CVE-2023-45143
Indicators of Compromise
- Unexpected HTTP requests from your Node.js application to external domains containing session cookies
- Log entries showing cross-origin redirects that include Cookie headers in outbound requests
- Third-party domains receiving authenticated requests that should have been stripped of credentials
Detection Strategies
- Audit your Node.js applications for Undici versions below 5.26.2 using npm list undici or dependency scanning tools
- Review application logs for cross-origin redirect chains that may expose sensitive headers
- Implement network monitoring to detect cookie headers in outbound cross-origin requests
- Use SentinelOne Singularity to monitor for anomalous network behavior from Node.js processes
Monitoring Recommendations
- Enable verbose logging for HTTP client activity in production environments to track redirect behavior
- Configure web application firewalls to alert on requests containing cookies destined for unexpected domains
- Implement runtime application self-protection (RASP) to detect and block sensitive header leakage
How to Mitigate CVE-2023-45143
Immediate Actions Required
- Upgrade Undici to version 5.26.2 or later immediately using npm update undici
- Audit all Node.js applications in your environment for vulnerable Undici versions
- Review applications that make cross-origin requests and assess potential exposure
- Consider implementing additional cookie security measures such as SameSite attributes
Patch Information
The vulnerability was patched in Undici version 5.26.2. The fix adds explicit deletion of Cookie and Host headers when requests are redirected to a different origin, aligning Undici's behavior with browser security expectations. The patch is available in the GitHub Release v5.26.2.
For detailed security information, refer to the GitHub Security Advisory GHSA-wqq4-5wpv-mx2g.
Workarounds
- There are no known workarounds for this vulnerability - upgrading is required
- As a temporary measure, avoid making fetch requests that may follow redirects to untrusted domains
- Implement strict redirect policies at the application level to limit redirect following
# Upgrade Undici to the patched version
npm update undici
# Verify the installed version
npm list undici
# For yarn users
yarn upgrade undici@^5.26.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
