Home > Vulnerability Database > CVE-2022-31151

Mend.io Vulnerability Database

CVE-2022-31151

Good to know:

Date: July 20, 2022

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).

Language: JS

Severity Score

6.5

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-31151

Url: https://github.com/nodejs/undici/issues/872

Url: https://security-tracker.debian.org/tracker/CVE-2022-31151

Url: https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp

Url: https://hackerone.com/reports/1635514

Url: https://security.netapp.com/advisory/ntap-20220909-0006/

Url: https://www.mend.io/vulnerability-database/CVE-2022-31151

Severity Score

6.5

Weakness Type (CWE)

Origin Validation Error

CWE-346

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

Top Fix

Upgrade Version

Upgrade to version undici - 5.8.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-31151

Good to know:

Date: July 20, 2022

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?