Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

授权机制不恰当

Undici 安全漏洞

undici是一个HTTP/1.1客户端。 Undici存在安全漏洞，该漏洞源于在进行dispatch, request, stream, pipeline等操作的跨域重定向时未清除Proxy-Authorization标头。受影响的产品和版本：Undici 5.28.3之前版本，6.0.0至6.11.0之前版本。

N/A

N/A