Skip to content

Commit

Permalink
blog: update CVE-2023-45143 severity score (nodejs#6096)
Browse files Browse the repository at this point in the history
This was wrongly assessed in H1.
  • Loading branch information
RafaelGSS authored Nov 6, 2023
1 parent bfbcfc4 commit 10fb878
Showing 1 changed file with 1 addition and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ author: Rafael Gonzaga
Updates are now available for the v18.x and v20.x Node.js release lines for the
following issues.

## undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch (High) - (CVE-2023-45143)
## undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch (Low) - (CVE-2023-45143)

Undici did not always clear Cookie headers on cross-origin redirects. By design, cookie headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch.

Expand Down

0 comments on commit 10fb878

Please sign in to comment.