CVE-2025-21620

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-21620

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21620.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-21620

Aliases

GHSA-f27p-cmv8-xhm6

Published

2025-01-06T22:26:40.723Z

Modified

2025-12-02T02:33:48.315672Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Deno's authorization headers not dropped when redirecting cross-origin

Details

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21620.json"
}

References

Affected packages

Git / github.com/denoland/deno

Affected ranges

Type

GIT

Repo

https://github.com/denoland/deno

Events

Introduced

Fixed

2039abe8d2bc82fa800f4118707a48ac6f5e02ae

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.2"
        }
    ]
}

Affected versions

std/0.*

std/0.34.0

std/0.35.0

std/0.36.0

std/0.37.0

std/0.38.0

std/0.39.0

std/0.40.0

std/0.41.0

std/0.42.0

std/0.50.0

std/0.51.0

std/0.52.0

std/0.53.0

std/0.54.0

std/0.55.0

std/0.56.0

std/0.57.0

std/0.58.0

std/0.59.0

std/0.60.0

std/0.61.0

std/0.62.0

std/0.63.0

std/0.64.0

std/0.65.0

std/0.66.0

std/0.67.0

std/0.68.0

std/0.69.0

std/0.70.0

std/0.71.0

std/0.72.0

std/0.73.0

std/0.74.0

std/0.75.0

std/0.76.0

std/0.77.0

std/0.78.0

std/0.79.0

std/0.80.0

std/0.81.0

std/0.82.0

std/0.83.0

std/0.84.0

std/0.85.0

v0.*

v0.0.1

v0.0.3

v0.1.0

v0.1.1

v0.1.10

v0.1.11

v0.1.12

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.2.0

v0.2.1

v0.2.10

v0.2.11

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

v0.20.0

v0.21.0

v0.22.0

v0.23.0

v0.24.0

v0.25.0

v0.26.0

v0.27.0

v0.28.0

v0.28.1

v0.29.0

v0.3.0

v0.3.1

v0.3.10

v0.3.11

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.30.0

v0.30.1

v0.31.0

v0.32.0

v0.33.0

v0.34.0

v0.35.0

v0.36.0

v0.37.0

v0.37.1

v0.38.0

v0.39.0

v0.4.0

v0.40.0

v0.41.0

v0.42.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.0.0-rc1

v1.0.0-rc2

v1.0.0-rc3

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.10.0

v1.10.1

v1.10.3

v1.11.0

v1.11.1

v1.11.2

v1.12.0

v1.12.1

v1.12.2

v1.13.0

v1.13.1

v1.13.2

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.15.1

v1.15.2

v1.15.3

v1.16.0

v1.16.1

v1.16.2

v1.17.0

v1.18.0

v1.19.0

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.20.0

v1.20.1

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.34.0

v1.35.0

v1.36.0

v1.37.0

v1.38.0

v1.39.0

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.40.0

v1.41.0

v1.42.0

v1.43.0

v1.43.1

v1.44.0

v1.45.0

v1.46.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.4

v1.8.0

v1.8.1

v1.8.2

v1.9.0

v1.9.1

v1.9.2

v2.*

v2.0.0

v2.1.0

v2.1.1