Sensitive information sent insecurely In follow-redirects
Description
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
Summary
When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.
Since follow-redirects is the redirect-handling dependency for axios (105K+ stars), this vulnerability affects the entire axios ecosystem.
Affected Code
index.js, lines 469-476:
if (redirectUrl.protocol !== currentUrlParts.protocol && redirectUrl.protocol !== "https:" || redirectUrl.host !== currentHost && !isSubdomain(redirectUrl.host, currentHost)) { removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers); }
The regex only matches authorization, proxy-authorization, and cookie. Custom headers like X-API-Key are not matched.
Attack Scenario
App uses axios with custom auth header: headers: { 'X-API-Key': 'sk-live-secret123' }
Server returns 302 Location: https://evil.com/steal
follow-redirects sends X-API-Key: sk-live-secret123 to evil.com
Attacker captures the API key
Impact
Any custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.
Suggested Fix
Add a sensitiveHeaders option that users can extend, or strip ALL non-standard headers on cross-domain redirect.
Disclosure
Source code review, manually verified. Found 2026-03-20.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 1.16.0 |
Aliases
References