CVE-2022-0155
Exposure of Private Personal Information vulnerability in follow-redirects
What is CVE-2022-0155 About?
The `follow-redirects` package is vulnerable to the Exposure of Private Personal Information to an Unauthorized Actor. This flaw allows an unauthorized party to access sensitive personal information that should remain confidential. Exploitation would typically depend on specific application logic that handles redirects and personal data, making its complexity variable.
Affected Software
Technical Details
The `follow-redirects` library, when handling redirection, may inadvertently expose private personal information. This occurs if the library transmits sensitive data (e.g., authentication tokens, session cookies, or user-specific identifiers) in HTTP headers or URL parameters during its redirection process, without stripping them or validating the security posture of the redirected-to URL (e.g., shifting from HTTPS to HTTP). If an attacker can control or observe the redirect chain, or if the redirection leads to a compromised or unauthorized third-party site, the sensitive information can be intercepted by an unauthorized actor. This mechanism highlights an inadequate sanitization or security policy during the redirect mechanism for handling private data.
What is the Impact of CVE-2022-0155?
Successful exploitation may allow attackers to gain unauthorized access to private personal information, leading to data breaches, identity theft, or further malicious activities.
What is the Exploitability of CVE-2022-0155?
Exploitation complexity is moderate and depends heavily on the specific application's use of `follow-redirects` and how it handles sensitive data during HTTP redirects. There are generally no direct authentication or privilege requirements to trigger the redirect behavior, but accessing the exposed data might require network interception capabilities or control over redirection targets. This is typically a remote vulnerability, affecting clients or servers that utilize `follow-redirects` to handle external HTTP requests. Special conditions include the presence of sensitive personal information in HTTP requests that traverse redirects, and potentially a lack of TLS enforcement on redirect targets. The existence of a proof of concept increases the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| coana-tech | Link | PoC for CVE-2022-0155 |
What are the Available Fixes for CVE-2022-0155?
About the Fix from Resolved Security
This patch removes sensitive headers such as Authorization and Cookie when following HTTP redirects to a different host or domain, unless the redirect target is the same host or a subdomain. This prevents confidential credentials from being leaked to untrusted origins, thus fixing CVE-2022-0155, which allowed such headers to be forwarded across domains during redirects.
Available Upgrade Options
- follow-redirects
- <1.14.7 → Upgrade to 1.14.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
- https://nvd.nist.gov/vuln/detail/CVE-2022-0155
- https://github.com/follow-redirects/follow-redirects
- https://osv.dev/vulnerability/GHSA-74fj-2j2h-c42q
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
What are Similar Vulnerabilities to CVE-2022-0155?
Similar Vulnerabilities: CVE-2022-0536 , CVE-2021-23382 , CVE-2021-39139 , CVE-2020-26224 , CVE-2022-29007
