GHSA-R4Q5-VMMM-2653: Information Exposure via Sensitive Header Leak in follow-redirects
Vulnerability ID: GHSA-R4Q5-VMMM-2653
CVSS Score: 7.4
Published: 2026-04-14
The follow-redirects Node.js library contains an information exposure vulnerability where sensitive custom authentication headers are leaked to cross-domain redirect targets. A hardcoded regex blacklist failed to remove non-standard headers during cross-origin redirects or protocol downgrades.
TL;DR
The follow-redirects package leaks custom HTTP headers (such as X-API-Key) to third-party domains upon HTTP 302 redirects due to an incomplete header sanitization blacklist.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: Information Exposure (Sensitive Header Leak)
- CWE ID: CWE-200
- CVSSv3 Score: 7.4
- Attack Vector: Network
- Privileges Required: None
- Affected Component: RedirectableRequest class
- Exploit Status: Proof of Concept available
Affected Systems
- follow-redirects (NPM)
- Node.js Applications
- axios (Transitive Dependency users)
-
follow-redirects: < 1.15.6 (Fixed in:
1.15.6)
Code Analysis
Commit: 844c4d3
Introduced the sensitiveHeaders configuration option and dynamic regex generation to filter custom headers during cross-origin redirects.
Mitigation Strategies
- Dependency Upgrade
- Configuration Updates
- Redirect Disabling
Remediation Steps:
- Update follow-redirects to version 1.15.6 or higher via the package manager.
- Identify all custom HTTP headers used for authentication or authorization in the codebase.
- Pass the identified headers into the
sensitiveHeadersoption array when constructing HTTP requests. - Review higher-level HTTP clients (like axios) for mechanisms to pass down the
sensitiveHeadersconfiguration.
References
Read the full report for GHSA-R4Q5-VMMM-2653 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)