NodeJS/follow-redirects/1.4.0

HTTP and HTTPS modules that follow redirects.

https://www.npmjs.com/package/follow-redirects
MIT

4 Security Vulnerabilities

Exposure of sensitive information in follow-redirects

Published date: 2022-01-12T22:46:26Z
CVE: CVE-2022-0155
Links:

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.1.0", "0.2.0", "0.3.0", "1.0.0", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.5.10", "1.6.0", "1.6.1", "1.7.0", "1.8.0", "1.8.1", "1.9.0", "1.9.1", "1.10.0", "1.11.0", "1.12.0", "1.12.1", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.14.5", "1.14.6"]
Secure versions: [1.15.6]
Recommendation: Update to version 1.15.6.

follow-redirects' Proxy-Authorization header kept across hosts

Published date: 2024-03-14T17:19:42Z
CVE: CVE-2024-28849
Links:

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

Test code:

const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })

When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect

Recommended Patch

follow-redirects/index.js:464

- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.1.0", "0.2.0", "0.3.0", "1.0.0", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.5.10", "1.6.0", "1.6.1", "1.7.0", "1.8.0", "1.8.1", "1.9.0", "1.9.1", "1.10.0", "1.11.0", "1.12.0", "1.12.1", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.14.5", "1.14.6", "1.14.7", "1.14.8", "1.14.9", "1.15.0", "1.15.1", "1.15.2", "1.15.3", "1.15.4", "1.15.5"]
Secure versions: [1.15.6]
Recommendation: Update to version 1.15.6.

Follow Redirects improperly handles URLs in the url.parse() function

Published date: 2024-01-02T06:30:30Z
CVE: CVE-2023-26159
Links:

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.1.0", "0.2.0", "0.3.0", "1.0.0", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.5.10", "1.6.0", "1.6.1", "1.7.0", "1.8.0", "1.8.1", "1.9.0", "1.9.1", "1.10.0", "1.11.0", "1.12.0", "1.12.1", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.14.5", "1.14.6", "1.14.7", "1.14.8", "1.14.9", "1.15.0", "1.15.1", "1.15.2", "1.15.3"]
Secure versions: [1.15.6]
Recommendation: Update to version 1.15.6.

Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects

Published date: 2022-02-10T00:00:31Z
CVE: CVE-2022-0536
Links:

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.1.0", "0.2.0", "0.3.0", "1.0.0", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.5.10", "1.6.0", "1.6.1", "1.7.0", "1.8.0", "1.8.1", "1.9.0", "1.9.1", "1.10.0", "1.11.0", "1.12.0", "1.12.1", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.14.5", "1.14.6", "1.14.7"]
Secure versions: [1.15.6]
Recommendation: Update to version 1.15.6.

65 Other Versions

Version License Security Released
1.15.6 MIT 2024-03-14 - 16:37 about 1 month
1.15.5 MIT 1 2024-01-12 - 08:41 3 months
1.15.4 MIT 1 2023-12-30 - 17:28 4 months
1.15.3 MIT 2 2023-09-19 - 18:51 7 months
1.15.2 MIT 2 2022-09-13 - 15:04 over 1 year
1.15.1 MIT 2 2022-05-26 - 23:23 almost 2 years
1.15.0 MIT 2 2022-05-03 - 21:30 almost 2 years
1.14.9 MIT 2 2022-02-18 - 09:27 about 2 years
1.14.8 MIT 2 2022-02-08 - 11:04 about 2 years
1.14.7 MIT 3 2022-01-10 - 16:58 over 2 years
1.14.6 MIT 4 2021-12-08 - 18:18 over 2 years
1.14.5 MIT 4 2021-10-30 - 18:29 over 2 years
1.14.4 MIT 4 2021-09-14 - 12:21 over 2 years
1.14.3 MIT 4 2021-09-02 - 14:06 over 2 years
1.14.2 MIT 4 2021-08-18 - 12:06 over 2 years
1.14.1 MIT 4 2021-05-09 - 10:13 almost 3 years
1.14.0 MIT 4 2021-04-25 - 16:35 almost 3 years
1.13.3 MIT 4 2021-02-27 - 14:41 about 3 years
1.13.2 MIT 4 2021-01-25 - 20:31 about 3 years
1.13.1 MIT 4 2020-12-13 - 16:04 over 3 years
1.13.0 MIT 4 2020-08-10 - 11:41 over 3 years
1.12.1 MIT 4 2020-06-18 - 22:37 almost 4 years
1.12.0 MIT 4 2020-06-16 - 20:37 almost 4 years
1.11.0 MIT 4 2020-03-29 - 10:54 about 4 years
1.10.0 MIT 4 2020-01-26 - 23:35 about 4 years
1.9.1 MIT 4 2020-01-25 - 23:54 about 4 years
1.9.0 MIT 4 2019-09-06 - 13:12 over 4 years
1.8.1 MIT 4 2019-08-27 - 17:37 over 4 years
1.8.0 MIT 4 2019-08-27 - 11:10 over 4 years
1.7.0 MIT 4 2019-02-13 - 21:40 about 5 years
1.6.1 MIT 4 2019-01-03 - 10:24 over 5 years
1.6.0 MIT 4 2018-12-25 - 22:27 over 5 years
1.5.10 MIT 4 2018-11-19 - 21:25 over 5 years
1.5.9 MIT 4 2018-10-09 - 16:01 over 5 years
1.5.8 MIT 4 2018-09-11 - 19:25 over 5 years
1.5.7 MIT 4 2018-08-22 - 18:02 over 5 years
1.5.6 MIT 4 2018-08-21 - 01:44 over 5 years
1.5.5 MIT 4 2018-08-13 - 18:02 over 5 years
1.5.4 MIT 4 2018-08-13 - 13:18 over 5 years
1.5.3 MIT 4 2018-08-13 - 11:15 over 5 years
1.5.2 MIT 4 2018-08-01 - 18:34 over 5 years
1.5.1 MIT 4 2018-07-05 - 20:44 almost 6 years
1.5.0 MIT 4 2018-05-19 - 16:17 almost 6 years
1.4.1 MIT 4 2018-01-24 - 00:42 about 6 years
1.4.0 MIT 4 2018-01-21 - 21:55 about 6 years
1.3.0 MIT 4 2018-01-05 - 18:57 over 6 years
1.2.6 MIT 4 2017-11-22 - 10:35 over 6 years
1.2.5 MIT 4 2017-10-05 - 17:04 over 6 years
1.2.4 MIT 4 2017-06-21 - 19:39 almost 7 years
1.2.3 MIT 4 2017-03-10 - 16:51 about 7 years
1.2.2 MIT 4 2017-03-09 - 21:53 about 7 years
1.2.1 MIT 4 2016-12-18 - 12:52 over 7 years
1.2.0 MIT 4 2016-12-07 - 21:50 over 7 years
1.1.0 MIT 4 2016-11-06 - 16:44 over 7 years
1.0.0 MIT 4 2016-10-23 - 16:09 over 7 years
0.3.0 MIT 4 2016-10-20 - 15:49 over 7 years
0.2.0 MIT 4 2016-06-06 - 22:00 almost 8 years
0.1.0 MIT 4 2016-04-10 - 19:31 about 8 years
0.0.7 MIT 4 2015-09-10 - 01:41 over 8 years
0.0.6 MIT 4 2015-07-04 - 13:26 almost 9 years
0.0.5 MIT 4 2015-07-01 - 15:27 almost 9 years
0.0.4 MIT 4 2015-07-01 - 14:43 almost 9 years
0.0.3 BSD 4 2012-11-29 - 08:19 over 11 years
0.0.2 BSD 4 2012-11-21 - 00:14 over 11 years
0.0.1 BSD 4 2012-11-15 - 22:23 over 11 years