QwikSec

Security Database

CVE

CWE

Training

CVE-2024-28849

Published: Mar 14, 2024

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
follow-redirects	follow-redirects	affected `< 1.15.6`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp

x_refsource_CONFIRM

https://github.com/psf/requests/issues/1885

x_refsource_MISC

https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b

x_refsource_MISC

https://hackerone.com/reports/2390009

x_refsource_MISC

https://fetch.spec.whatwg.org/#authentication-entries

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.