NodeJS/follow-redirects/1.15.4
HTTP and HTTPS modules that follow redirects.
https://www.npmjs.com/package/follow-redirects
MIT
1 Security Vulnerabilities
follow-redirects' Proxy-Authorization header kept across hosts
Published date: 2024-03-14T17:19:42Z
CVE: CVE-2024-28849
Links:
- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
- https://fetch.spec.whatwg.org/#authentication-entries
- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
- https://nvd.nist.gov/vuln/detail/CVE-2024-28849
- https://github.com/psf/requests/issues/1885
- https://hackerone.com/reports/2390009
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
Test code:
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect
Recommended Patch
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
Affected versions:
["0.0.3", "0.0.6", "0.1.0", "0.2.0", "1.0.0", "1.2.0", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.2", "1.5.3", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.5.10", "1.6.0", "1.7.0", "1.8.1", "1.9.1", "1.10.0", "1.11.0", "1.13.0", "0.0.1", "0.0.2", "0.0.4", "0.0.5", "0.0.7", "0.3.0", "1.1.0", "1.2.1", "1.2.2", "1.2.3", "1.5.1", "1.5.4", "1.6.1", "1.8.0", "1.9.0", "1.12.0", "1.12.1", "1.13.1", "1.13.2", "1.13.3", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.14.5", "1.14.6", "1.14.7", "1.14.8", "1.14.9", "1.15.0", "1.15.1", "1.15.2", "1.15.3", "1.15.4", "1.15.5"]
Secure versions:
[1.15.6, 1.15.7, 1.15.8, 1.15.9]
Recommendation:
Update to version 1.15.9.
68 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.2.5 | MIT | 4 | 2017-10-05 - 17:04 | over 7 years |
| 1.2.4 | MIT | 4 | 2017-06-21 - 19:39 | about 8 years |
| 1.2.3 | MIT | 4 | 2017-03-10 - 16:51 | over 8 years |
| 1.2.2 | MIT | 4 | 2017-03-09 - 21:53 | over 8 years |
| 1.2.1 | MIT | 4 | 2016-12-18 - 12:52 | over 8 years |
| 1.2.0 | MIT | 4 | 2016-12-07 - 21:50 | over 8 years |
| 1.1.0 | MIT | 4 | 2016-11-06 - 16:44 | over 8 years |
| 1.0.0 | MIT | 4 | 2016-10-23 - 16:09 | over 8 years |
| 0.3.0 | MIT | 4 | 2016-10-20 - 15:49 | over 8 years |
| 0.2.0 | MIT | 4 | 2016-06-06 - 22:00 | about 9 years |
| 0.1.0 | MIT | 4 | 2016-04-10 - 19:31 | about 9 years |
| 0.0.7 | MIT | 4 | 2015-09-10 - 01:41 | almost 10 years |
| 0.0.6 | MIT | 4 | 2015-07-04 - 13:26 | almost 10 years |
| 0.0.5 | MIT | 4 | 2015-07-01 - 15:27 | about 10 years |
| 0.0.4 | MIT | 4 | 2015-07-01 - 14:43 | about 10 years |
| 0.0.3 | BSD | 4 | 2012-11-29 - 08:19 | over 12 years |
| 0.0.2 | BSD | 4 | 2012-11-21 - 00:14 | over 12 years |
| 0.0.1 | BSD | 4 | 2012-11-15 - 22:23 | over 12 years |