CVE-2023-45143 nodejs CVE debrief

Who should care

Organizations running Siemens SINEC INS industrial network management software, particularly those with externally accessible interfaces or complex redirect chains. OT security teams managing industrial control systems should prioritize this update as part of routine patch management. Node.js developers using Undici directly should also verify their dependency versions.

Technical summary

The vulnerability exists in Undici's fetch implementation, which handles headers more liberally than the Fetch specification allows. While browsers prevent Cookie headers from being set in RequestInit.headers, Undici permits this. During cross-origin redirects, Undici properly strips Authorization headers but retains Cookie headers, violating the expected security boundary. An attacker who can control a redirect destination (via open redirector or compromised endpoint) could receive cookies intended for the original origin. The attack requires high privileges, user interaction, and high attack complexity, limiting practical exploitability.

Defensive priority

medium

Recommended defensive actions

• Update Siemens SINEC INS to V1.0 SP2 Update 3 or later version
• Review application configurations for any custom redirect handling that may compound the issue
• Monitor for suspicious cross-origin redirect patterns in application logs
• Apply defense-in-depth strategies for industrial control systems as recommended by CISA
• Verify that Node.js dependencies are updated to Undici 5.26.2 or later in custom deployments

Evidence notes

The vulnerability description is sourced from CISA CSAF advisory ICSA-24-319-08, which references Siemens security advisory SSA-915275. The CVSS score of 3.9 reflects the attack complexity requirements (user interaction, high privileges, high attack complexity) that limit exploitability.

Official resources