Version Details and Security Vulnerabilities

📦

follow-redirects

1.15.1

Comparision Betweeen 1.15.1 and 1.15.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

27.08 KB

26.78 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

follow-redirects

1.15.1

Comparision Betweeen 1.15.1 and 1.15.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

27.08 KB

26.78 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.15.1 of the package follow-redirects.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.15.1 of the package

Summary:

follow-redirects' Proxy-Authorization header kept across hosts

Details:

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

Test code:

const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })

When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect

Recommended Patch

follow-redirects/index.js:464

- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);

Details about follow-redirects@1.15.1

Summary:

Follow Redirects improperly handles URLs in the url.parse() function

Details:

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Details about follow-redirects@1.15.1

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.15.1 of the package follow-redirects.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.15.1 of the package

Summary:

follow-redirects' Proxy-Authorization header kept across hosts

Details:

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

Test code:

const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })

When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect

Recommended Patch

follow-redirects/index.js:464

- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);

Details about follow-redirects@1.15.1

Summary:

Follow Redirects improperly handles URLs in the url.parse() function

Details:

Details about follow-redirects@1.15.1

Version Details and Security Vulnerabilities

follow-redirects

Comparision Betweeen 1.15.1 and 1.15.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

follow-redirects

Comparision Betweeen 1.15.1 and 1.15.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Steps To Reproduce & PoC

Impact

Recommendations

Recommended Patch

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Steps To Reproduce & PoC

Impact

Recommendations

Recommended Patch

Version Details and Security Vulnerabilities

follow-redirects

Comparision Betweeen 1.15.1 and 1.15.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

follow-redirects

Comparision Betweeen 1.15.1 and 1.15.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

follow-redirects@1.15.1 GHSA-cxjh-pqwp-8mfp 6.5

Steps To Reproduce & PoC

Impact

Recommendations

Recommended Patch

follow-redirects@1.15.1 GHSA-jchw-25xp-jwwc 6.1

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

follow-redirects@1.15.1 GHSA-cxjh-pqwp-8mfp 6.5

Steps To Reproduce & PoC

Impact

Recommendations

Recommended Patch

follow-redirects@1.15.1 GHSA-jchw-25xp-jwwc 6.1