NodeJS/follow-redirects/1.15.4
HTTP and HTTPS modules that follow redirects.
https://www.npmjs.com/package/follow-redirects
MIT
1 Security Vulnerabilities
follow-redirects' Proxy-Authorization header kept across hosts
Published date: 2024-03-14T17:19:42Z
CVE: CVE-2024-28849
Links:
- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
- https://fetch.spec.whatwg.org/#authentication-entries
- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
- https://nvd.nist.gov/vuln/detail/CVE-2024-28849
- https://github.com/psf/requests/issues/1885
- https://hackerone.com/reports/2390009
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
Test code:
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect
Recommended Patch
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.1.0", "0.2.0", "0.3.0", "1.0.0", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.5.10", "1.6.0", "1.6.1", "1.7.0", "1.8.0", "1.8.1", "1.9.0", "1.9.1", "1.10.0", "1.11.0", "1.12.0", "1.12.1", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.14.5", "1.14.6", "1.14.7", "1.14.8", "1.14.9", "1.15.0", "1.15.1", "1.15.2", "1.15.3", "1.15.4", "1.15.5"]
Secure versions:
[1.15.6]
Recommendation:
Update to version 1.15.6.
65 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.15.6 | MIT | 2024-03-14 - 16:37 | about 2 months | |
1.15.5 | MIT | 1 | 2024-01-12 - 08:41 | 4 months |
1.15.4 | MIT | 1 | 2023-12-30 - 17:28 | 4 months |
1.15.3 | MIT | 2 | 2023-09-19 - 18:51 | 8 months |
1.15.2 | MIT | 2 | 2022-09-13 - 15:04 | over 1 year |
1.15.1 | MIT | 2 | 2022-05-26 - 23:23 | almost 2 years |
1.15.0 | MIT | 2 | 2022-05-03 - 21:30 | almost 2 years |
1.14.9 | MIT | 2 | 2022-02-18 - 09:27 | about 2 years |
1.14.8 | MIT | 2 | 2022-02-08 - 11:04 | about 2 years |
1.14.7 | MIT | 3 | 2022-01-10 - 16:58 | over 2 years |
1.14.6 | MIT | 4 | 2021-12-08 - 18:18 | over 2 years |
1.14.5 | MIT | 4 | 2021-10-30 - 18:29 | over 2 years |
1.14.4 | MIT | 4 | 2021-09-14 - 12:21 | over 2 years |
1.14.3 | MIT | 4 | 2021-09-02 - 14:06 | over 2 years |
1.14.2 | MIT | 4 | 2021-08-18 - 12:06 | over 2 years |
1.14.1 | MIT | 4 | 2021-05-09 - 10:13 | almost 3 years |
1.14.0 | MIT | 4 | 2021-04-25 - 16:35 | about 3 years |
1.13.3 | MIT | 4 | 2021-02-27 - 14:41 | about 3 years |
1.13.2 | MIT | 4 | 2021-01-25 - 20:31 | over 3 years |
1.13.1 | MIT | 4 | 2020-12-13 - 16:04 | over 3 years |
1.13.0 | MIT | 4 | 2020-08-10 - 11:41 | over 3 years |
1.12.1 | MIT | 4 | 2020-06-18 - 22:37 | almost 4 years |
1.12.0 | MIT | 4 | 2020-06-16 - 20:37 | almost 4 years |
1.11.0 | MIT | 4 | 2020-03-29 - 10:54 | about 4 years |
1.10.0 | MIT | 4 | 2020-01-26 - 23:35 | over 4 years |
1.9.1 | MIT | 4 | 2020-01-25 - 23:54 | over 4 years |
1.9.0 | MIT | 4 | 2019-09-06 - 13:12 | over 4 years |
1.8.1 | MIT | 4 | 2019-08-27 - 17:37 | over 4 years |
1.8.0 | MIT | 4 | 2019-08-27 - 11:10 | over 4 years |
1.7.0 | MIT | 4 | 2019-02-13 - 21:40 | about 5 years |
1.6.1 | MIT | 4 | 2019-01-03 - 10:24 | over 5 years |
1.6.0 | MIT | 4 | 2018-12-25 - 22:27 | over 5 years |
1.5.10 | MIT | 4 | 2018-11-19 - 21:25 | over 5 years |
1.5.9 | MIT | 4 | 2018-10-09 - 16:01 | over 5 years |
1.5.8 | MIT | 4 | 2018-09-11 - 19:25 | over 5 years |
1.5.7 | MIT | 4 | 2018-08-22 - 18:02 | over 5 years |
1.5.6 | MIT | 4 | 2018-08-21 - 01:44 | over 5 years |
1.5.5 | MIT | 4 | 2018-08-13 - 18:02 | over 5 years |
1.5.4 | MIT | 4 | 2018-08-13 - 13:18 | over 5 years |
1.5.3 | MIT | 4 | 2018-08-13 - 11:15 | over 5 years |
1.5.2 | MIT | 4 | 2018-08-01 - 18:34 | over 5 years |
1.5.1 | MIT | 4 | 2018-07-05 - 20:44 | almost 6 years |
1.5.0 | MIT | 4 | 2018-05-19 - 16:17 | almost 6 years |
1.4.1 | MIT | 4 | 2018-01-24 - 00:42 | over 6 years |
1.4.0 | MIT | 4 | 2018-01-21 - 21:55 | over 6 years |
1.3.0 | MIT | 4 | 2018-01-05 - 18:57 | over 6 years |
1.2.6 | MIT | 4 | 2017-11-22 - 10:35 | over 6 years |
1.2.5 | MIT | 4 | 2017-10-05 - 17:04 | over 6 years |
1.2.4 | MIT | 4 | 2017-06-21 - 19:39 | almost 7 years |
1.2.3 | MIT | 4 | 2017-03-10 - 16:51 | about 7 years |
1.2.2 | MIT | 4 | 2017-03-09 - 21:53 | about 7 years |
1.2.1 | MIT | 4 | 2016-12-18 - 12:52 | over 7 years |
1.2.0 | MIT | 4 | 2016-12-07 - 21:50 | over 7 years |
1.1.0 | MIT | 4 | 2016-11-06 - 16:44 | over 7 years |
1.0.0 | MIT | 4 | 2016-10-23 - 16:09 | over 7 years |
0.3.0 | MIT | 4 | 2016-10-20 - 15:49 | over 7 years |
0.2.0 | MIT | 4 | 2016-06-06 - 22:00 | almost 8 years |
0.1.0 | MIT | 4 | 2016-04-10 - 19:31 | about 8 years |
0.0.7 | MIT | 4 | 2015-09-10 - 01:41 | over 8 years |
0.0.6 | MIT | 4 | 2015-07-04 - 13:26 | almost 9 years |
0.0.5 | MIT | 4 | 2015-07-01 - 15:27 | almost 9 years |
0.0.4 | MIT | 4 | 2015-07-01 - 14:43 | almost 9 years |
0.0.3 | BSD | 4 | 2012-11-29 - 08:19 | over 11 years |
0.0.2 | BSD | 4 | 2012-11-21 - 00:14 | over 11 years |
0.0.1 | BSD | 4 | 2012-11-15 - 22:23 | over 11 years |