NodeJS/follow-redirects/1.15.5

HTTP and HTTPS modules that follow redirects.

https://www.npmjs.com/package/follow-redirects
MIT

1 Security Vulnerabilities

follow-redirects' Proxy-Authorization header kept across hosts

Published date: 2024-03-14T17:19:42Z
CVE: CVE-2024-28849
Links:

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

Test code:

const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })

When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect

Recommended Patch

follow-redirects/index.js:464

- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);

Affected versions: ["0.0.3", "0.0.6", "0.1.0", "0.2.0", "1.0.0", "1.2.0", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.2", "1.5.3", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.5.10", "1.6.0", "1.7.0", "1.8.1", "1.9.1", "1.10.0", "1.11.0", "1.13.0", "0.0.1", "0.0.2", "0.0.4", "0.0.5", "0.0.7", "0.3.0", "1.1.0", "1.2.1", "1.2.2", "1.2.3", "1.5.1", "1.5.4", "1.6.1", "1.8.0", "1.9.0", "1.12.0", "1.12.1", "1.13.1", "1.13.2", "1.13.3", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.14.5", "1.14.6", "1.14.7", "1.14.8", "1.14.9", "1.15.0", "1.15.1", "1.15.2", "1.15.3", "1.15.4", "1.15.5"]
Secure versions: [1.15.6, 1.15.7, 1.15.8, 1.15.9]
Recommendation: Update to version 1.15.9.

68 Other Versions

Version License Security Released
1.15.9 MIT 2024-09-06 - 08:56 10 months
1.15.8 MIT 2024-09-03 - 21:44 10 months
1.15.7 MIT 2024-09-03 - 19:28 10 months
1.15.6 MIT 2024-03-14 - 16:37 over 1 year
1.15.5 MIT 1 2024-01-12 - 08:41 over 1 year
1.15.4 MIT 1 2023-12-30 - 17:28 over 1 year
1.15.3 MIT 2 2023-09-19 - 18:51 almost 2 years
1.15.2 MIT 2 2022-09-13 - 15:04 almost 3 years
1.15.1 MIT 2 2022-05-26 - 23:23 about 3 years
1.15.0 MIT 2 2022-05-03 - 21:30 about 3 years
1.14.9 MIT 2 2022-02-18 - 09:27 over 3 years
1.14.8 MIT 2 2022-02-08 - 11:04 over 3 years
1.14.7 MIT 3 2022-01-10 - 16:58 over 3 years
1.14.6 MIT 4 2021-12-08 - 18:18 over 3 years
1.14.5 MIT 4 2021-10-30 - 18:29 over 3 years
1.14.4 MIT 4 2021-09-14 - 12:21 almost 4 years
1.14.3 MIT 4 2021-09-02 - 14:06 almost 4 years
1.14.2 MIT 4 2021-08-18 - 12:06 almost 4 years
1.14.1 MIT 4 2021-05-09 - 10:13 about 4 years
1.14.0 MIT 4 2021-04-25 - 16:35 about 4 years
1.13.3 MIT 4 2021-02-27 - 14:41 over 4 years
1.13.2 MIT 4 2021-01-25 - 20:31 over 4 years
1.13.1 MIT 4 2020-12-13 - 16:04 over 4 years
1.13.0 MIT 4 2020-08-10 - 11:41 almost 5 years
1.12.1 MIT 4 2020-06-18 - 22:37 about 5 years
1.12.0 MIT 4 2020-06-16 - 20:37 about 5 years
1.11.0 MIT 4 2020-03-29 - 10:54 over 5 years
1.10.0 MIT 4 2020-01-26 - 23:35 over 5 years
1.9.1 MIT 4 2020-01-25 - 23:54 over 5 years
1.9.0 MIT 4 2019-09-06 - 13:12 almost 6 years
1.8.1 MIT 4 2019-08-27 - 17:37 almost 6 years
1.8.0 MIT 4 2019-08-27 - 11:10 almost 6 years
1.7.0 MIT 4 2019-02-13 - 21:40 over 6 years
1.6.1 MIT 4 2019-01-03 - 10:24 over 6 years
1.6.0 MIT 4 2018-12-25 - 22:27 over 6 years
1.5.10 MIT 4 2018-11-19 - 21:25 over 6 years
1.5.9 MIT 4 2018-10-09 - 16:01 over 6 years
1.5.8 MIT 4 2018-09-11 - 19:25 almost 7 years
1.5.7 MIT 4 2018-08-22 - 18:02 almost 7 years
1.5.6 MIT 4 2018-08-21 - 01:44 almost 7 years
1.5.5 MIT 4 2018-08-13 - 18:02 almost 7 years
1.5.4 MIT 4 2018-08-13 - 13:18 almost 7 years
1.5.3 MIT 4 2018-08-13 - 11:15 almost 7 years
1.5.2 MIT 4 2018-08-01 - 18:34 almost 7 years
1.5.1 MIT 4 2018-07-05 - 20:44 almost 7 years
1.5.0 MIT 4 2018-05-19 - 16:17 about 7 years
1.4.1 MIT 4 2018-01-24 - 00:42 over 7 years
1.4.0 MIT 4 2018-01-21 - 21:55 over 7 years
1.3.0 MIT 4 2018-01-05 - 18:57 over 7 years
1.2.6 MIT 4 2017-11-22 - 10:35 over 7 years