CVE-2022-0536
Exposure of Sensitive Information vulnerability in follow-redirects
What is CVE-2022-0536 About?
This vulnerability in NPM `follow-redirects` prior to 1.14.8 allows for the Exposure of Sensitive Information to an Unauthorized Actor. It can lead to the unintended disclosure of confidential data, potentially during HTTP redirection processes. Exploitation typically requires specific application conditions and understanding of data handling during redirects.
Affected Software
Technical Details
The `follow-redirects` library, in versions prior to 1.14.8, can inadvertently expose sensitive information during its redirect handling mechanism. This exposure occurs when the library fails to properly sanitize or strip sensitive headers (e.g., `Authorization`, `Cookie`) or query parameters containing sensitive data from HTTP requests when following redirects, particularly from a secure (HTTPS) origin to an insecure (HTTP) one, or to an untrusted third party. An unauthorized actor intercepting these redirected requests, or observing server logs if redirects lead to logging mechanisms, could capture the sensitive information that should have been protected or confined to the original secure connection, leading to data disclosure.
What is the Impact of CVE-2022-0536?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information, leading to data breaches, privacy violations, or further compromise of the system.
What is the Exploitability of CVE-2022-0536?
Exploitation of this sensitive information exposure vulnerability has moderate complexity. It requires specific application logic that uses `follow-redirects` and handles sensitive data in HTTP requests that might undergo redirection. No specific authentication or privilege requirements are generally needed to trigger the redirect. This is a remote vulnerability, affecting clients or servers that perform HTTP requests and process redirects. Key conditions include the presence of sensitive information in request headers or URLs, and the application following redirects to potentially insecure or untrusted destinations. The likelihood of exploitation depends on the frequency with which an application handles sensitive data and uses this library for network requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0536?
Available Upgrade Options
- follow-redirects
- <1.14.8 → Upgrade to 1.14.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-pw2r-vq6v-hr8c
- https://github.com/follow-redirects/follow-redirects
- https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445
- https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db
- https://nvd.nist.gov/vuln/detail/CVE-2022-0536
- https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db
- https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445
What are Similar Vulnerabilities to CVE-2022-0536?
Similar Vulnerabilities: CVE-2022-0155 , CVE-2021-23382 , CVE-2021-39139 , CVE-2020-26224 , CVE-2022-29007
