NodeJS/follow-redirects/1.9.1
HTTP and HTTPS modules that follow redirects.
https://www.npmjs.com/package/follow-redirects
MIT
4 Security Vulnerabilities
Exposure of sensitive information in follow-redirects
- https://nvd.nist.gov/vuln/detail/CVE-2022-0155
- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
- https://github.com/advisories/GHSA-74fj-2j2h-c42q
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
follow-redirects' Proxy-Authorization header kept across hosts
- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
- https://fetch.spec.whatwg.org/#authentication-entries
- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
- https://nvd.nist.gov/vuln/detail/CVE-2024-28849
- https://github.com/psf/requests/issues/1885
- https://hackerone.com/reports/2390009
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
Test code:
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect
Recommended Patch
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
Follow Redirects improperly handles URLs in the url.parse() function
- https://nvd.nist.gov/vuln/detail/CVE-2023-26159
- https://github.com/follow-redirects/follow-redirects/issues/235
- https://github.com/follow-redirects/follow-redirects/pull/236
- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137
- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d
- https://github.com/advisories/GHSA-jchw-25xp-jwwc
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
65 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.14.7 | MIT | 3 | 2022-01-10 - 16:58 | over 2 years |
1.15.1 | MIT | 2 | 2022-05-26 - 23:23 | almost 2 years |
1.14.8 | MIT | 2 | 2022-02-08 - 11:04 | over 2 years |
1.15.0 | MIT | 2 | 2022-05-03 - 21:30 | about 2 years |
1.15.2 | MIT | 2 | 2022-09-13 - 15:04 | over 1 year |
1.14.9 | MIT | 2 | 2022-02-18 - 09:27 | about 2 years |
1.15.3 | MIT | 2 | 2023-09-19 - 18:51 | 8 months |
1.15.5 | MIT | 1 | 2024-01-12 - 08:41 | 4 months |
1.15.4 | MIT | 1 | 2023-12-30 - 17:28 | 5 months |
0.3.0 | MIT | 4 | 2016-10-20 - 15:49 | over 7 years |
1.0.0 | MIT | 4 | 2016-10-23 - 16:09 | over 7 years |
1.1.0 | MIT | 4 | 2016-11-06 - 16:44 | over 7 years |
1.2.0 | MIT | 4 | 2016-12-07 - 21:50 | over 7 years |
1.2.1 | MIT | 4 | 2016-12-18 - 12:52 | over 7 years |
0.0.7 | MIT | 4 | 2015-09-10 - 01:41 | over 8 years |
1.2.3 | MIT | 4 | 2017-03-10 - 16:51 | about 7 years |
1.2.4 | MIT | 4 | 2017-06-21 - 19:39 | almost 7 years |
1.2.5 | MIT | 4 | 2017-10-05 - 17:04 | over 6 years |
1.2.6 | MIT | 4 | 2017-11-22 - 10:35 | over 6 years |
1.3.0 | MIT | 4 | 2018-01-05 - 18:57 | over 6 years |
1.4.0 | MIT | 4 | 2018-01-21 - 21:55 | over 6 years |
1.4.1 | MIT | 4 | 2018-01-24 - 00:42 | over 6 years |
1.5.0 | MIT | 4 | 2018-05-19 - 16:17 | almost 6 years |
1.5.1 | MIT | 4 | 2018-07-05 - 20:44 | almost 6 years |
0.0.6 | MIT | 4 | 2015-07-04 - 13:26 | almost 9 years |
1.5.3 | MIT | 4 | 2018-08-13 - 11:15 | almost 6 years |
1.5.4 | MIT | 4 | 2018-08-13 - 13:18 | almost 6 years |
1.5.5 | MIT | 4 | 2018-08-13 - 18:02 | almost 6 years |
1.5.6 | MIT | 4 | 2018-08-21 - 01:44 | over 5 years |
1.5.7 | MIT | 4 | 2018-08-22 - 18:02 | over 5 years |
1.5.8 | MIT | 4 | 2018-09-11 - 19:25 | over 5 years |
1.5.9 | MIT | 4 | 2018-10-09 - 16:01 | over 5 years |
1.5.10 | MIT | 4 | 2018-11-19 - 21:25 | over 5 years |
1.6.0 | MIT | 4 | 2018-12-25 - 22:27 | over 5 years |
1.6.1 | MIT | 4 | 2019-01-03 - 10:24 | over 5 years |
1.7.0 | MIT | 4 | 2019-02-13 - 21:40 | over 5 years |
1.8.0 | MIT | 4 | 2019-08-27 - 11:10 | over 4 years |
1.8.1 | MIT | 4 | 2019-08-27 - 17:37 | over 4 years |
1.9.0 | MIT | 4 | 2019-09-06 - 13:12 | over 4 years |
1.9.1 | MIT | 4 | 2020-01-25 - 23:54 | over 4 years |
0.1.0 | MIT | 4 | 2016-04-10 - 19:31 | about 8 years |
0.0.4 | MIT | 4 | 2015-07-01 - 14:43 | almost 9 years |
0.0.2 | BSD | 4 | 2012-11-21 - 00:14 | over 11 years |
0.0.1 | BSD | 4 | 2012-11-15 - 22:23 | over 11 years |
0.0.3 | BSD | 4 | 2012-11-29 - 08:19 | over 11 years |
0.0.5 | MIT | 4 | 2015-07-01 - 15:27 | almost 9 years |
0.2.0 | MIT | 4 | 2016-06-06 - 22:00 | almost 8 years |
1.2.2 | MIT | 4 | 2017-03-09 - 21:53 | about 7 years |
1.5.2 | MIT | 4 | 2018-08-01 - 18:34 | almost 6 years |
1.10.0 | MIT | 4 | 2020-01-26 - 23:35 | over 4 years |
1.14.2 | MIT | 4 | 2021-08-18 - 12:06 | almost 3 years |
1.14.3 | MIT | 4 | 2021-09-02 - 14:06 | over 2 years |
1.14.4 | MIT | 4 | 2021-09-14 - 12:21 | over 2 years |
1.14.5 | MIT | 4 | 2021-10-30 - 18:29 | over 2 years |
1.14.6 | MIT | 4 | 2021-12-08 - 18:18 | over 2 years |
1.13.3 | MIT | 4 | 2021-02-27 - 14:41 | about 3 years |
1.13.2 | MIT | 4 | 2021-01-25 - 20:31 | over 3 years |
1.14.0 | MIT | 4 | 2021-04-25 - 16:35 | about 3 years |
1.13.0 | MIT | 4 | 2020-08-10 - 11:41 | almost 4 years |
1.12.0 | MIT | 4 | 2020-06-16 - 20:37 | almost 4 years |
1.11.0 | MIT | 4 | 2020-03-29 - 10:54 | about 4 years |
1.12.1 | MIT | 4 | 2020-06-18 - 22:37 | almost 4 years |
1.13.1 | MIT | 4 | 2020-12-13 - 16:04 | over 3 years |
1.14.1 | MIT | 4 | 2021-05-09 - 10:13 | about 3 years |
1.15.6 | MIT | 2024-03-14 - 16:37 | 2 months |