Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-cxjh-pqwp-8mfp: follow-redirects' Proxy-Authorization header kept across hosts

When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

axios Test Code

const axios = require(‘axios’);

axios.get('http://127.0.0.1:10081/’,{ headers: { 'AuThorization’: 'Rear Test’, 'ProXy-AuthoriZation’: 'Rear Test’, 'coOkie’: ‘t=1’ } }).then(function (response) { console.log(response); }) When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Request sent by axios

image-20240314130755052.png Request sent by follow-redirects after redirectimage-20240314130809838.png

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect Recommended Patch

follow-redirects/index.js:464

removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); change to

removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers); Ref

https://fetch.spec.whatwg.org/#authentication-entries https://hackerone.com/reports/2390009

ghsa
#vulnerability#ios#js#auth

When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

axios Test Code

const axios = require(‘axios’);

axios.get('http://127.0.0.1:10081/’,{
headers: {
'AuThorization’: 'Rear Test’,
'ProXy-AuthoriZation’: 'Rear Test’,
'coOkie’: ‘t=1’
}
}).then(function (response) {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Request sent by axios

image-20240314130755052.png
Request sent by follow-redirects after redirectimage-20240314130809838.png

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect
Recommended Patch

follow-redirects/index.js:464

removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
change to

removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
Ref

https://fetch.spec.whatwg.org/#authentication-entries
https://hackerone.com/reports/2390009

References

  • GHSA-cxjh-pqwp-8mfp
  • follow-redirects/follow-redirects@c4f847f
  • https://fetch.spec.whatwg.org/#authentication-entries

Related news

Red Hat Security Advisory 2024-7164-03

Red Hat Security Advisory 2024-7164-03 - The Migration Toolkit for Containers 1.8.4 is now available. Issues addressed include denial of service and password leak vulnerabilities.

Red Hat Security Advisory 2024-4836-03

Red Hat Security Advisory 2024-4836-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes new features, bug fixes, and updates to patch vulnerabilities.

Red Hat Security Advisory 2024-0041-03

Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.

Red Hat Security Advisory 2024-3989-03

Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.

Red Hat Security Advisory 2024-3868-03

Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.

Red Hat Security Advisory 2024-3920-03

Red Hat Security Advisory 2024-3920-03 - Migration Toolkit for Runtimes 1.2.6 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a password leak vulnerability.

Red Hat Security Advisory 2024-3781-03

Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.

Red Hat Security Advisory 2024-3550-03

Red Hat Security Advisory 2024-3550-03 - HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, and password leak vulnerabilities.