Elixir Tesla Improper Case Sensitivity Handling in FollowRedirects Middleware Allows Credential Leakage on Cross-Origin Redirects

A vulnerability in the Elixir Tesla library, specifically in versions 1.4.0 prior to 1.18.3, has been identified. The issue arises in the FollowRedirects middleware, which improperly handles the case sensitivity of HTTP headers. This flaw allows for the leakage of authorization credentials to third-party origins during cross-origin redirects. The middleware is supposed to strip sensitive headers like Authorization and Host when following redirects to different domains. However, it uses a case-sensitive comparison against a lowercase filter list, failing to recognize headers set with their canonical casing as defined by the RFC standards. As a result, headers such as 'Authorization' are not filtered out and can be forwarded to the redirect destination, potentially exposing bearer tokens or other sensitive information. An attacker who can influence the Location response seen by the client can exploit this vulnerability, leading to unauthorized access to the leaked credentials.

Impact

Exploitation of this vulnerability causes the Authorization header, including bearer tokens or other sensitive authorization materials, to be leaked to a third-party origin during cross-origin redirects.

Reproduction

To reproduce this vulnerability, configure a Tesla client to use the FollowRedirects middleware. Set the Authorization header using its canonical casing, 'Authorization'. Then, make a request to an endpoint that returns a 302 redirect to a different origin. The Authorization header will be included in the request to the redirect destination, demonstrating the credential leakage.

Remediation

Update to Tesla version 1.18.3 or later. If an immediate upgrade is not possible, normalize all header keys to lowercase before sending them, using 'authorization' instead of 'Authorization'.