follow-redirects Cross-Domain Redirect Custom Header Leakage Vulnerability

A vulnerability exists in follow-redirects, a Node.js library that automatically follows HTTP redirects. In versions prior to 1.16.0, the library fails to properly handle custom authentication headers when following cross-domain redirects. Instead of stripping these headers, follow-redirects forwards them verbatim to the redirect target. This issue is particularly concerning because follow-redirects is used as the default redirect handler in axios, a popular HTTP client for Node.js.

Impact

The vulnerability allows any custom authentication header, such as X-API-Key or X-Auth-Token, to be leaked to cross-domain redirect targets. This is a common pattern that could result in unauthorized access or misuse of API keys.

Reproduction

To reproduce this vulnerability, send an HTTP request using axios that includes a custom authentication header, such as X-API-Key. When the request follows a cross-domain redirect, the follow-redirects library will strip only the standard authorization and cookie headers, while the custom header will be forwarded to the redirect destination. An attacker can then capture the leaked header information.

Remediation

Users can update to follow-redirects version 1.16.0 or later, where this vulnerability has been fixed.