CVE-2022-31151 is a medium-severity vulnerability classified under CWE-601 (URL Redirection to Untrusted Site, commonly known as an open redirect) affecting the 'undici' HTTP client library used in Node.js environments. The vulnerability arises because, during cross-origin HTTP redirects, the undici client clears authorization headers but fails to clear cookie headers. Cookies are sensitive headers often containing session tokens or authentication information. If an application using an affected undici version (< 5.7.1) enables automatic redirections (i.e., sets maxRedirections > 0), an attacker who can control the redirection target URL could exploit this behavior to leak cookies to a malicious third-party site. This could lead to session hijacking or unauthorized access if the leaked cookies contain authentication credentials. By default, undici disables redirections (maxRedirections: 0), so the vulnerability is not exploitable without explicit configuration changes. The issue was patched in version 5.7.1 by ensuring that cookie headers are cleared on cross-origin redirects, preventing accidental leakage. No known exploits have been reported in the wild, and the vulnerability requires that the application both uses an affected undici version and enables redirections, which somewhat limits the attack surface. However, given the widespread use of undici in Node.js applications and the sensitivity of cookie data, this vulnerability poses a tangible risk if left unpatched in environments that enable redirects.

For European organizations, the impact of this vulnerability primarily concerns confidentiality breaches through cookie leakage. If exploited, attackers could hijack user sessions or gain unauthorized access to internal or customer-facing applications, potentially leading to data breaches, fraud, or further lateral movement within networks. Organizations in sectors such as finance, healthcare, e-commerce, and government, which often rely on Node.js-based services and handle sensitive personal or financial data, are particularly at risk. The vulnerability could undermine trust in digital services and lead to regulatory consequences under GDPR if personal data is compromised. Since the vulnerability requires enabling redirects, organizations that use undici with automatic redirections for microservices communication or API calls are more exposed. The lack of known exploits reduces immediate risk, but the potential for cookie leakage to malicious domains makes timely patching critical to prevent targeted attacks or abuse by threat actors leveraging open redirectors.

1. Upgrade undici to version 5.7.1 or later, where the vulnerability is patched. 2. Audit all Node.js applications using undici to identify if automatic redirections are enabled (maxRedirections > 0). If redirections are not necessary, explicitly set maxRedirections to 0 to disable them. 3. Implement strict validation and sanitization of any user-controllable URLs that might influence redirection targets to prevent open redirect scenarios. 4. Employ Content Security Policy (CSP) headers to restrict the domains to which cookies and other sensitive data can be sent. 5. Use HttpOnly and Secure flags on cookies to reduce the risk of client-side script access and ensure cookies are only sent over HTTPS. 6. Monitor application logs for unusual redirect patterns or unexpected outbound requests to untrusted domains. 7. Conduct regular security reviews of third-party dependencies and keep them up to date. 8. Consider implementing additional application-layer protections such as Web Application Firewalls (WAFs) configured to detect and block suspicious redirect chains.