Forwarding of confidentials headers to third parties in fluture-node
Low severity
GitHub Reviewed
Published
Mar 1, 2022
in
fluture-js/fluture-node
•
Updated Oct 24, 2024
Description
Published by the National Vulnerability Database
Mar 1, 2022
Published to the GitHub Advisory Database
Mar 1, 2022
Reviewed
Mar 1, 2022
Last updated
Oct 24, 2024
Impact
Using
followRedirects
orfollowRedirectsWith
with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing.Patches
The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin.
Workarounds
Use a custom redirection strategy via the
followRedirectsWith
function. The custom strategy can be based on the new strategies available in fluture-node@4.0.2.References
follow-redirects
package. There is more information there: GHSA-74fj-2j2h-c42q and https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db/References