CVE-2024-28849
ADVISORY - githubSummary
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
Test code:
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect
Recommended Patch
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
Common Weakness Enumeration (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor
NIST
2.8
CVSS SCORE
6.5mediumGitHub
2.8
CVSS SCORE
6.5mediumDebian
-
Ubuntu
-
CVSS SCORE
N/AmediumRed Hat
2.8
CVSS SCORE
6.5mediumChainguard
CGA-3qpx-2jp6-8w3m
-
Chainguard
CGA-7g4q-75vq-228c
-
Chainguard
CGA-896m-v6ff-2q96
-
Chainguard
CGA-8m86-gww5-8pm9
-
Chainguard
CGA-fp6h-638c-5c69
-
Chainguard
CGA-r834-rj47-cfj9
-
Chainguard
CGA-w43g-68f9-2mqp
-