CVE-2024-28849 MEDIUM

CVE-2024-28849: Proxy-Authorization header kept across hosts in follow-redirects

Vendor Follow-Redirects

Product follow-redirects

Weakness CWE-200 · Info exposure

Published March 14, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

March 14, 2024 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-28849 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2024-28849: Proxy-Authorization header kept across hosts in follow-redirects

01Description

02Disclosure timeline

03References

04Related CVE