GHSA-cxjh-pqwp-8mfp

Опубликовано: 14 мар. 2024

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

follow-redirects' Proxy-Authorization header kept across hosts

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

Test code:

const axios = require('axios'); axios.get('http://127.0.0.1:10081/', { headers: { 'AuThorization': 'Rear Test', 'ProXy-AuthoriZation': 'Rear Test', 'coOkie': 't=1' } }) .then((response) => { console.log(response); })

When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect

Recommended Patch

follow-redirects/index.js:464

- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); + removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);

Ссылки

Пакеты

Наименование

follow-redirects

npm

Затронутые версииВерсия исправления

<= 1.15.5

1.15.6

EPSS

Процентиль: 71%

0.00677

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2024-28849

Дефекты

CWE-200

Связанные уязвимости

CVE-2024-28849

CVSS3: 6.5

ubuntu

почти 2 года назад

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.