Skip to content

chore(deps): update dependency follow-redirects to v1.16.0 [security]#16

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-follow-redirects-vulnerability
Open

chore(deps): update dependency follow-redirects to v1.16.0 [security]#16
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-follow-redirects-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Jan 10, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
follow-redirects 1.15.11.16.0 age confidence

Follow Redirects improperly handles URLs in the url.parse() function

CVE-2023-26159 / GHSA-jchw-25xp-jwwc

More information

Details

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

follow-redirects' Proxy-Authorization header kept across hosts

CVE-2024-28849 / GHSA-cxjh-pqwp-8mfp

More information

Details

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

Test code:

const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })

When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect

Recommended Patch

follow-redirects/index.js:464

- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets

GHSA-r4q5-vmmm-2653

More information

Details

Summary

When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.

Since follow-redirects is the redirect-handling dependency for axios (105K+ stars), this vulnerability affects the entire axios ecosystem.

Affected Code

index.js, lines 469-476:

if (redirectUrl.protocol !== currentUrlParts.protocol &&
   redirectUrl.protocol !== "https:" ||
   redirectUrl.host !== currentHost &&
   !isSubdomain(redirectUrl.host, currentHost)) {
  removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
}

The regex only matches authorization, proxy-authorization, and cookie. Custom headers like X-API-Key are not matched.

Attack Scenario
  1. App uses axios with custom auth header: headers: { 'X-API-Key': 'sk-live-secret123' }
  2. Server returns 302 Location: https://evil.com/steal
  3. follow-redirects sends X-API-Key: sk-live-secret123 to evil.com
  4. Attacker captures the API key
Impact

Any custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.

Suggested Fix

Add a sensitiveHeaders option that users can extend, or strip ALL non-standard headers on cross-domain redirect.

Disclosure

Source code review, manually verified. Found 2026-03-20.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

follow-redirects/follow-redirects (follow-redirects)

v1.16.0

Compare Source

v1.15.11

Compare Source

v1.15.10

Compare Source

v1.15.9

Compare Source

v1.15.8

Compare Source

v1.15.7

Compare Source

v1.15.6

Compare Source

v1.15.5

Compare Source

v1.15.4

Compare Source

v1.15.3

Compare Source

v1.15.2

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title fix(deps): update dependency follow-redirects to v1.15.4 [security] fix(deps): update dependency follow-redirects to v1.15.6 [security] Mar 16, 2024
@renovate renovate Bot force-pushed the renovate/npm-follow-redirects-vulnerability branch from 6fee892 to 1e8ef87 Compare March 16, 2024 02:44
@renovate renovate Bot force-pushed the renovate/npm-follow-redirects-vulnerability branch 2 times, most recently from 2a9c68b to e56ee74 Compare January 31, 2025 07:18
@renovate renovate Bot force-pushed the renovate/npm-follow-redirects-vulnerability branch from e56ee74 to 76b3e4b Compare August 14, 2025 00:15
@renovate renovate Bot changed the title fix(deps): update dependency follow-redirects to v1.15.6 [security] chore(deps): update dependency follow-redirects to v1.15.6 [security] Sep 26, 2025
@renovate renovate Bot force-pushed the renovate/npm-follow-redirects-vulnerability branch from 76b3e4b to 2b9353f Compare April 15, 2026 13:21
@renovate renovate Bot changed the title chore(deps): update dependency follow-redirects to v1.15.6 [security] chore(deps): update dependency follow-redirects to v1.16.0 [security] Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants