CVE-2025-21620 HIGH

CVE-2025-21620: Deno's authorization headers not dropped when redirecting cross-origin

Vendor Denoland
Product deno
Weakness CWE-200 · Info exposure
Published January 6, 2025
Last update January 7, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.

Key dates

02Disclosure timeline

January 6, 2025 CVE published
January 7, 2025 Record updated