CVE-2024-28849: follow-redirects' Proxy-Authorization header kept across hosts
When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
axios Test Code
const axios = require(‘axios’);
axios.get(‘http://127.0.0.1:10081/’,{ headers: { ‘AuThorization’: ‘Rear Test’, ‘ProXy-AuthoriZation’: ‘Rear Test’, ‘coOkie’: ’t=1’ } }).then(function (response) { console.log(response); }) When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Request sent by axios
image-20240314130755052.png Request sent by follow-redirects after redirectimage-20240314130809838.png
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect Recommended Patch
follow-redirects/index.js:464
removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); change to
removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers); Ref
https://fetch.spec.whatwg.org/#authentication-entries https://hackerone.com/reports/2390009
References
- fetch.spec.whatwg.org/
- github.com/advisories/GHSA-cxjh-pqwp-8mfp
- github.com/follow-redirects/follow-redirects
- github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
- github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
- github.com/psf/requests/issues/1885
- hackerone.com/reports/2390009
- nvd.nist.gov/vuln/detail/CVE-2024-28849
Detect and mitigate CVE-2024-28849 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →