CVE-2022-0355
Information Disclosure vulnerability in simple-get (npm)
What is CVE-2022-0355 About?
The simple-get library, in versions prior to 4.0.1, 3.1.1, and 2.8.2, can expose session cookies to third parties during redirects. When fetching a remote URL that issues a cookie location response, simple-get follows these headers, potentially sending sensitive cookies to an attacker-controlled domain. Exploitation of this vulnerability is straightforward if an attacker can control redirects.
Affected Software
- simple-get
- <2.8.2
- >3.0.0, <3.1.1
- >4.0.0, <4.0.1
Technical Details
The vulnerability in simple-get (versions prior to 4.0.1, 3.1.1, and 2.8.2) involves incorrect handling of redirection headers in conjunction with cookies. Specifically, when the library fetches a remote URL and that URL responds with a redirection (e.g., HTTP 302, 307) that includes a 'Location' header pointing to a different origin, the simple-get library may, under certain conditions, incorrectly forward existing session cookies to this new, potentially untrusted, location. The attack vector relies on an attacker intercepting or controlling a server's response to an initial request, providing a malicious 'Location' header that then results in the victim's browser or server-side application (using simple-get) sending its session cookie to the attacker's domain.
What is the Impact of CVE-2022-0355?
Successful exploitation may allow attackers to obtain sensitive session cookies, leading to session hijacking and unauthorized access to user accounts or application resources.
What is the Exploitability of CVE-2022-0355?
Exploitation is of moderate complexity, primarily requiring an attacker to trigger a request to a URL that can issue a controlled redirect. No specific authentication is required at the point of header forwarding, but the vulnerability targets the exposure of existing authentication cookies. This is a remote vulnerability. The main prerequisite is that the target application uses a vulnerable version of simple-get and makes requests to external resources. Special conditions involve the ability to intercept or control HTTP responses to generate a malicious redirect. Risk factors increase if the application frequently interacts with third-party services or if the application is susceptible to open redirect vulnerabilities.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0355?
Available Upgrade Options
- simple-get
- <2.8.2 → Upgrade to 2.8.2
- simple-get
- >3.0.0, <3.1.1 → Upgrade to 3.1.1
- simple-get
- >4.0.0, <4.0.1 → Upgrade to 4.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-wpg7-2c88-r8xv
- https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f
- https://github.com/feross/simple-get/pull/75#issuecomment-1027755026
- https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31
- https://github.com/feross/simple-get/pull/76#issuecomment-1027754710
- https://github.com/feross/simple-get
- https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31
- https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f
- https://github.com/advisories/GHSA-wpg7-2c88-r8xv
- https://nvd.nist.gov/vuln/detail/CVE-2022-0355
What are Similar Vulnerabilities to CVE-2022-0355?
Similar Vulnerabilities: CVE-2022-0235 , CVE-2018-1000632 , CVE-2021-23395 , CVE-2020-8037 , CVE-2019-10776
