GHSA-32x6-qvw6-mxj4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-32x6-qvw6-mxj4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-32x6-qvw6-mxj4/GHSA-32x6-qvw6-mxj4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-32x6-qvw6-mxj4
- Aliases
- Published
- 2022-03-01T22:14:57Z
- Modified
- 2024-10-24T22:21:51.675547Z
- Severity
-
- 2.6 (Low) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Forwarding of confidentials headers to third parties in fluture-node
- Details
-
Impact
Using
followRedirectsorfollowRedirectsWithwith any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing.Patches
The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin.
Workarounds
Use a custom redirection strategy via the
followRedirectsWithfunction. The custom strategy can be based on the new strategies available in fluture-node@4.0.2.References
- This vulnerability was discovered after the announcement of similar vulnerabilities in the
follow-redirectspackage. There is more information there: https://github.com/advisories/GHSA-74fj-2j2h-c42q and https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db/ - Fixed in 125e4474f910c1507f8ec3232848626fbc0f55c4 and 0c99bc511533d48be17dc6bfe641f7d0aeb34d77
- This vulnerability was discovered after the announcement of similar vulnerabilities in the
- Database specific
{ "nvd_published_at": "2022-03-01T21:15:00Z", "cwe_ids": [ "CWE-200", "CWE-212", "CWE-359", "CWE-601" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2022-03-01T22:14:57Z" }- References
-
- https://github.com/fluture-js/fluture-node/security/advisories/GHSA-32x6-qvw6-mxj4
- https://nvd.nist.gov/vuln/detail/CVE-2022-24719
- https://github.com/psf/requests/pull/4718
- https://github.com/fluture-js/fluture-node/commit/0c99bc511533d48be17dc6bfe641f7d0aeb34d77
- https://github.com/fluture-js/fluture-node/commit/125e4474f910c1507f8ec3232848626fbc0f55c4
- https://github.com/fluture-js/fluture-node
- https://github.com/pypa/advisory-database/tree/main/vulns/pyquest/PYSEC-2022-43051.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/request-util/PYSEC-2022-43052.yaml
Affected packages
npm / fluture-node
Package
- Name
- fluture-node
- View open source insights on deps.dev
- Purl
- pkg:npm/fluture-node
PyPI / pyquest
Package
- Name
- pyquest
- View open source insights on deps.dev
- Purl
- pkg:pypi/pyquest