CVE-2024-30260
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
3.9
LOW
CVSS 3.1
EPSS 0.20%
Description
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
How to fix CVE-2024-30260
To remediate CVE-2024-30260, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 5.28.4 or later
Is CVE-2024-30260 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 5.28.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.9 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L |