blog: update CVE-2023-45143 severity score

This was wrongly assessed in H1.
nodejs · Nov 6, 2023 · 875f403 · 875f403
1 parent 622c205
commit 875f403
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pages/en/blog/vulnerability/october-2023-security-releases.md b/pages/en/blog/vulnerability/october-2023-security-releases.md
@@ -11,7 +11,7 @@ author: Rafael Gonzaga
 Updates are now available for the v18.x and v20.x Node.js release lines for the
 following issues.
 
-## undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch (High) - (CVE-2023-45143)
+## undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch (Low) - (CVE-2023-45143)
 
 Undici did not always clear Cookie headers on cross-origin redirects. By design, cookie headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch.