Headline
GHSA-cxjh-pqwp-8mfp: follow-redirects' Proxy-Authorization header kept across hosts
When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
axios Test Code
const axios = require(‘axios’);
axios.get('http://127.0.0.1:10081/’,{ headers: { 'AuThorization’: 'Rear Test’, 'ProXy-AuthoriZation’: 'Rear Test’, 'coOkie’: ‘t=1’ } }).then(function (response) { console.log(response); }) When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Request sent by axios
image-20240314130755052.png Request sent by follow-redirects after redirectimage-20240314130809838.png
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect Recommended Patch
follow-redirects/index.js:464
removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); change to
removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers); Ref
https://fetch.spec.whatwg.org/#authentication-entries https://hackerone.com/reports/2390009
When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
axios Test Code
const axios = require(‘axios’);
axios.get('http://127.0.0.1:10081/’,{
headers: {
'AuThorization’: 'Rear Test’,
'ProXy-AuthoriZation’: 'Rear Test’,
'coOkie’: ‘t=1’
}
}).then(function (response) {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Request sent by axios
image-20240314130755052.png
Request sent by follow-redirects after redirectimage-20240314130809838.png
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect
Recommended Patch
follow-redirects/index.js:464
removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
change to
removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
Ref
https://fetch.spec.whatwg.org/#authentication-entries
https://hackerone.com/reports/2390009
References
- GHSA-cxjh-pqwp-8mfp
- follow-redirects/follow-redirects@c4f847f
- https://fetch.spec.whatwg.org/#authentication-entries
Related news
Red Hat Security Advisory 2024-7164-03 - The Migration Toolkit for Containers 1.8.4 is now available. Issues addressed include denial of service and password leak vulnerabilities.
Red Hat Security Advisory 2024-4836-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes new features, bug fixes, and updates to patch vulnerabilities.
Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3920-03 - Migration Toolkit for Runtimes 1.2.6 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a password leak vulnerability.
Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3550-03 - HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, and password leak vulnerabilities.