benoitc hackney Sensitive Data Exposure Vulnerability in HTTP/3 Redirect Handler

A sensitive data exposure vulnerability has been identified in the benoitc hackney HTTP client, specifically in versions 3.1.1 prior to 4.0.1. The issue arises in the HTTP/3 redirect handler, which forwards original request headers, including Authorization and Cookie, to a redirect target without cross-origin checks. This flaw allows an attacker to intercept credentials when a client follows a redirect to a different host. The vulnerability exists because the HTTP/3 client lacks the same protections as the HTTP/1.1 client, which can strip sensitive headers before cross-origin redirects.

Impact

Exploitation of this vulnerability leads to the unauthorized disclosure of Authorization and Cookie headers, as well as the request body for certain redirect responses, to an attacker-controlled origin.

Reproduction

To reproduce this vulnerability, send an HTTP/3 POST request to an attacker-controlled server with the follow_redirect option enabled and include Authorization or Cookie headers. The server can respond with a 307 or 308 redirect to another host, which will trigger the vulnerability by forwarding the original headers and body to the new origin.

Remediation

Users can upgrade to hackney version 4.0.1, which addresses this vulnerability by stripping credentials from redirect headers when the target origin differs from the original, unless the location_trusted option is enabled.