Skip to main content

Improper Authorization

CVE-2024-30260

Severity Low
Score 3.9/10

Summary

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability affects versions through 5.28.3, and 6.0.0 through 6.11.0.

  • HIGH
  • NETWORK
  • LOW
  • UNCHANGED
  • REQUIRED
  • HIGH
  • LOW
  • LOW

CWE-285 - Improper Authorization

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Advisory Timeline

  • Published