Undici is a high-performance HTTP/1.1 client library for Node.js, designed to replace the built-in HTTP client with improved performance and modern API support. CVE-2024-30260 identifies an improper authorization vulnerability classified under CWE-285. The vulnerability stems from inconsistent handling of Authorization and Proxy-Authorization headers between two different API methods within Undici: fetch() and undici.request(). Specifically, while fetch() clears these sensitive headers to prevent unintended reuse or leakage, undici.request() does not perform this clearance. This inconsistency can lead to scenarios where sensitive authorization headers persist across requests unintentionally, potentially exposing credentials or tokens to unauthorized endpoints or intermediaries. The affected versions include all releases prior to 5.28.4 and those from 6.0.0 up to but not including 6.11.1. The issue was addressed by ensuring that undici.request() also clears these headers appropriately in the patched versions. The CVSS v3.1 base score is 3.9, indicating a low severity, with attack vector as network, requiring high complexity, privileges, and user interaction, and resulting in limited confidentiality, integrity, and availability impacts. No known exploits have been reported, suggesting limited active exploitation. However, the vulnerability could be leveraged in complex attack chains where an attacker has partial access and can induce requests using the vulnerable APIs.

For European organizations, the impact of CVE-2024-30260 is generally low but non-negligible in environments where Undici is used extensively in Node.js applications, especially those handling sensitive data or operating in multi-tenant or cloud environments. Unauthorized retention of Authorization headers could lead to credential leakage or unauthorized access to backend services, potentially compromising confidentiality and integrity of data. This risk is heightened in complex microservices architectures or proxy setups where requests may be forwarded or reused improperly. Although the vulnerability requires high privileges and user interaction, insider threats or chained exploits could leverage this flaw to escalate access or exfiltrate sensitive information. The limited availability impact suggests service disruption is unlikely, but data exposure risks remain. European sectors such as finance, healthcare, and critical infrastructure that rely on Node.js and Undici for backend services should be particularly vigilant. The absence of known exploits reduces immediate risk but does not eliminate the need for prompt remediation.

European organizations should prioritize upgrading Undici to versions 5.28.4 or later, or 6.11.1 or later, where the vulnerability is patched. Code audits should be conducted to identify usage of undici.request() and ensure that Authorization and Proxy-Authorization headers are not inadvertently reused or leaked. Implement strict input validation and header management policies within Node.js applications to prevent unauthorized header propagation. Employ runtime monitoring and logging to detect anomalous usage patterns of HTTP client libraries. In environments where upgrading is not immediately feasible, consider implementing network-level controls to restrict access to vulnerable services and enforce strict authentication and authorization policies. Additionally, educate developers about secure usage patterns of HTTP clients and the importance of consistent header handling. Regularly review dependencies and apply security patches promptly as part of a robust software supply chain management process.