CVE-2023-45143 - Cookie Leakage via Cross-Origin Redirects in Node.js Undici HTTP Client

Undici is a popular HTTP/1.1 client, built from scratch for Node.js, often praised for its speed and spec compliance. But in late 2023, a serious security bug surfaced: CVE-2023-45143. This vulnerability allowed sensitive Cookie headers to leak across origins during redirects, posing risks of session theft or user impersonation.

In this post, we'll walk through what CVE-2023-45143 really means, how and why it happened, how it can be exploited, and what you need to do to keep your applications safe.

What is CVE-2023-45143?

In simple terms, when you make an HTTP request using Undici and your request is redirected to another domain ("cross-origin redirect"), any cookies you sent may also get forwarded to that third party under some conditions. This breaks a major security boundary and could expose session cookies or other authentication tokens to attackers.

Typically, browsers are quite strict about not sending Cookie headers in the wrong context. However, Undici, by being more flexible with HTTP standards, was not stopping these cookies from going to places they shouldn't—at least before version 5.26.2.

Why Did This Happen?

The root of the problem lies in the difference between the *Fetch specification* (the web browser's Bible for HTTP) and Undici's implementation for Node.js.

- Browsers: Don't allow developers to set Cookie headers manually in fetch() requests for user safety.

Undici: Allowed custom Cookie headers via its API.

Undici did clear the Authorization header on cross-origin redirects, but forgot to clear Cookie headers as well.

Real-World Scenario

Suppose your Node.js service makes a request with a session cookie and gets redirected to a third-party domain. Because of this bug, your cookie would go along for the ride, ending up somewhere you *definitely* didn't intend—possibly under the control of an attacker.

Here’s a simplified example to show the problem (using Undici <5.26.2)

const { fetch } = require('undici');

async function example() {
  const response = await fetch('https://your-service.com/start';, {
    headers: {
      'Cookie': 'session=abc123'
    },
    redirect: 'follow'
  });
  const data = await response.text();
  console.log(data);
}

example();

Imagine https://your-service.com/start responds with a redirect to https://evil-attacker.com/steal. In vulnerable versions, your session cookie will be sent to evil-attacker.com.

Exploit Details

To exploit CVE-2023-45143, an attacker needs to control or influence the redirection target. Here’s how an attack would look:

1. Victim's server issues a redirect (e.g., via an open redirect vulnerability or a legitimate-use case).
2. Attacker intercepts the request if the victim server sends a 302 redirect to https://attacker.com/grab-cookie.

Proof-of-Concept Exploit

1. Start an HTTP server that always redirects to https://evil.com.

GitHub Security Advisory:

GHSA-c7cj-cx5x-9pgr (Undici)

NVD Entry:

CVE-2023-45143 (MITRE)

Undici Changelog 5.26.2:

Undici 5.26.2 Release

How Was It Fixed?

Starting with Undici 5.26.2, the library now clears the Cookie header during a cross-origin redirect—just like browsers do.

There is no workaround for earlier versions.
Upgrading is essential.

Update now: Move to Undici version 5.26.2 or later as soon as possible.

- Audit code: Look for custom uses of Cookie headers with Undici or open redirects in your service.

Final Thoughts

CVE-2023-45143 is a classic example of how differences between browser security models and backend HTTP libraries can cause security gaps—especially when handling sensitive information like cookies.

References

- GHSA-c7cj-cx5x-9pgr (GitHub)
- CVE-2023-45143 (MITRE)
- Undici 5.26.2 Fix

Timeline

Published on: 10/12/2023 17:15:10 UTC
Last modified on: 11/03/2023 22:15:11 UTC