diff --git a/CVE-2024-30260-undici-clear-proxy-authorization.patch b/CVE-2024-30260-undici-clear-proxy-authorization.patch
new file mode 100644
index 0000000..a626702
--- /dev/null
+++ b/CVE-2024-30260-undici-clear-proxy-authorization.patch
@@ -0,0 +1,25 @@
+Manual backport of https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
+
+--- src/third_party/electron_node/deps/undici/src/lib/handler/RedirectHandler.js.old	2024-04-04 09:55:39.696980900 +0000
++++ src/third_party/electron_node/deps/undici/src/lib/handler/RedirectHandler.js	2024-04-09 16:52:37.888616200 +0000
+@@ -188,7 +188,8 @@ function shouldRemoveHeader (header, rem
+     (header.length === 4 && header.toString().toLowerCase() === 'host') ||
+     (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) ||
+     (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') ||
+-    (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie')
++    (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') ||
++    (unknownOrigin && header.length === 19 && header.toString().toLowerCase() === 'proxy-authorization')
+   )
+ }
+ 
+--- src/third_party/electron_node/deps/undici/undici.js.old	2024-04-04 10:02:38.059765300 +0000
++++ src/third_party/electron_node/deps/undici/undici.js	2024-04-09 16:51:15.754041100 +0000
+@@ -7902,7 +7902,7 @@ var require_RedirectHandler = __commonJS
+     }
+     __name(parseLocation, "parseLocation");
+     function shouldRemoveHeader(header, removeContent, unknownOrigin) {
+-      return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie";
++      return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie" || unknownOrigin && header.length === 19 && header.toString().toLowerCase() === "proxy-authorization"
+     }
+     __name(shouldRemoveHeader, "shouldRemoveHeader");
+     function cleanRequestHeaders(headers, removeContent, unknownOrigin) {
diff --git a/nodejs-electron.changes b/nodejs-electron.changes
index 8cf3611..21bfe26 100644
--- a/nodejs-electron.changes
+++ b/nodejs-electron.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Apr  9 16:58:14 UTC 2024 - Bruno Pitrus <brunopitrus@hotmail.com>
+
+- Add backported CVE-2024-30260-undici-clear-proxy-authorization.patch (CVE-2024-30260 bsc#1222530)
+
 -------------------------------------------------------------------
 Thu Apr  4 20:35:05 UTC 2024 - Bruno Pitrus <brunopitrus@hotmail.com>
 
diff --git a/nodejs-electron.spec b/nodejs-electron.spec
index 107f3d6..66a9d10 100644
--- a/nodejs-electron.spec
+++ b/nodejs-electron.spec
@@ -354,6 +354,7 @@ Patch3132:      v8-instance-type-inl-constexpr-used-before-its-definition.patch
 Patch3133:      swiftshader-llvm18-LLVMReactor-getInt8PtrTy.patch
 Patch3134:      swiftshader-llvm18-LLVMJIT-Host.patch
 Patch3135:      swiftshader-llvm18-LLVMJIT-CodeGenOptLevel.patch
+Patch3136:      CVE-2024-30260-undici-clear-proxy-authorization.patch
 
 BuildRequires:  brotli
 %if %{with system_cares}