MEDIUM · CVSS 6.5
CVE-2024-30260 — undici header scrubbing bypass
undici (Node.js HTTP client) failed to scrub certain auth headers on cross-origin redirects, leaking credentials similar to the follow-redirects bug.
Affects
- undici < 5.28.4 / < 6.11.1
What an attacker does
A backend fetch to an attacker-controlled URL with redirect. Before the patch, undici forwarded Authorization / Cookie headers through redirects to the attacker host.
How to detect
`npm ls undici` — included in Node 18+ by default.
How to fix
Upgrade undici. Patched versions available as standalone + bundled into Node.js 20.12+.
How Securie catches it
Securie's Node scanner catches undici versions + use-patterns.