logo

Database

Sensitive information sent insecurely In node-follow-redirects

Description

follow-redirects' Proxy-Authorization header kept across hosts When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

Test code:

const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }...

When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect

Recommended Patch

follow-redirects/index.js:464

- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-288492. NVD-2024-288493. OSV-DEBIAN-2024-288494. OSV-2024-288495. GHSA-cxjh-pqwp-8mfp6. GCVE-2024-288497. SECURITY-TRACKER-CVE-2024-28849

References

1. https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp2. https://github.com/psf/requests/issues/18853. https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b4. https://hackerone.com/reports/23900095. https://fetch.spec.whatwg.org/#authentication-entries6. https://lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.