Description
### Exposure of Sensitive Information to an Unauthorized Actor
> The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
### NVD
> follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
### GitHub
> follow-redirects' Proxy-Authorization header kept across hosts
>
> When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
>
> ## Steps To Reproduce & PoC
>
> Test code:
>
> ```js
> const axios = require('axios');
>
> axios.get('http://127.0.0.1:10081/', {
> headers: {
> 'AuThorization': 'Rear Test',
> 'ProXy-AuthoriZation': 'Rear Test',
> 'coOkie': 't=1'
> }
> })
> .then((response) => {
> console.log(response);
> })
> ```
>
> When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
>
> ## Impact
>
> This vulnerability may lead to credentials leak.
>
> ## Recommendations
>
> Remove proxy-authentication header during cross-domain redirect
>
> ### Recommended Patch
>
> [follow-redirects/index.js:464](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)
>
> ```diff
> - removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
> + removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
> ```
CVSS details - 6.5
|CVSS3 metrics||
|:-|:-|
|Attack Vector|**Network**|
|Attack Complexity|**Low**|
|Privileges Required|**Low**|
|User interaction|**None**|
|Scope|**Unchanged**|
|Confidentiality|**High**|
|Integrity|**None**|
|Availability|**None**|
References
[follow-redirects' Proxy-Authorization header kept across hosts · CVE-2024-28849 · GitHub Advisory Database · GitHub](https://github.com/advisories/GHSA-cxjh-pqwp-8mfp)[](https://github.com/advisories/GHSA-cxjh-pqwp-8mfp)
[NVD - CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)[](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)
[Drop Proxy-Authorization across hosts. · follow-redirects/follow-redirects@c4f847f · GitHub](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)[](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)
[Fetch Standard](https://fetch.spec.whatwg.org/#authentication-entries)[](https://fetch.spec.whatwg.org/#authentication-entries)
[Redirect can expose netrc password · Issue #1885 · psf/requests · GitHub](https://github.com/psf/requests/issues/1885)[](https://github.com/psf/requests/issues/1885)
[Proxy-Authorization header kept across hosts · Advisory · follow-redirects/follow-redirects · GitHub](https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp)[](https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp)
[HackerOne](https://hackerone.com/reports/2390009)[](https://hackerone.com/reports/2390009)
[[SECURITY] Fedora 40 Update: pgadmin4-8.4-2.fc40 - package-announce - Fedora Mailing-Lists](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/)[](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/)
[[SECURITY] Fedora 40 Update: pgadmin4-8.4-2.fc40 - package-announce - Fedora Mailing-Lists](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z)[](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z)
CVE–2024–28849
Vulnerability details
Description
### Exposure of Sensitive Information to an Unauthorized Actor > The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. ### NVD > follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. ### GitHub > follow-redirects' Proxy-Authorization header kept across hosts > > When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too. > > ## Steps To Reproduce & PoC > > Test code: > > ```js > const axios = require('axios'); > > axios.get('http://127.0.0.1:10081/', { > headers: { > 'AuThorization': 'Rear Test', > 'ProXy-AuthoriZation': 'Rear Test', > 'coOkie': 't=1' > } > }) > .then((response) => { > console.log(response); > }) > ``` > > When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept. > > ## Impact > > This vulnerability may lead to credentials leak. > > ## Recommendations > > Remove proxy-authentication header during cross-domain redirect > > ### Recommended Patch > > [follow-redirects/index.js:464](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b) > > ```diff > - removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); > + removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers); > ```CVSS details -
6.5
|CVSS3 metrics|| |:-|:-| |Attack Vector|**Network**| |Attack Complexity|**Low**| |Privileges Required|**Low**| |User interaction|**None**| |Scope|**Unchanged**| |Confidentiality|**High**| |Integrity|**None**| |Availability|**None**|References
[follow-redirects' Proxy-Authorization header kept across hosts · CVE-2024-28849 · GitHub Advisory Database · GitHub](https://github.com/advisories/GHSA-cxjh-pqwp-8mfp)[Related information
:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE