CVE-2022-0654
Exposure of Sensitive Information vulnerability in requestretry (npm)
What is CVE-2022-0654 About?
This vulnerability involves the Exposure of Sensitive Information to an Unauthorized Actor in `fgribreau/node-request-retry` prior to 7.0.0. It causes cookies to be leaked to external sites, allowing attackers to potentially intercept sensitive session data. Exploitation is likely achieved by sending requests that trigger the cookie leakage.
Affected Software
Technical Details
The fgribreau/node-request-retry library, specifically versions prior to 7.0.0, is vulnerable to sensitive information exposure due to the leakage of cookies to external sites. This can occur when the library makes HTTP requests, potentially including retry attempts, and inadvertently attaches cookies meant for the original domain to requests made to third-party or external domains. For instance, if a request to a legitimate internal domain fails and is retried, but the retry mechanism or a redirect leads to an external, attacker-controlled domain (or a benign external domain that could be compromised), the sensitive cookies (e.g., session tokens, authentication cookies) might be sent along with the request. This exposes the user's session information or other sensitive data contained in the cookies to an unauthorized actor capable of monitoring or controlling the external site.
What is the Impact of CVE-2022-0654?
Successful exploitation may allow attackers to intercept sensitive session cookies, leading to session hijacking, unauthorized access to user accounts, or other forms of identity theft.
What is the Exploitability of CVE-2022-0654?
Exploitation of this Exposure of Sensitive Information vulnerability is of medium complexity. An attacker generally needs to control an external site or be able to induce a request to such a site, and then monitor traffic to it. There are no explicit authentication or privilege requirements on the target application itself, but the victim user must be authenticated or possess sensitive cookies. This is typically a remote vulnerability. The special conditions include the application's use of the vulnerable node-request-retry library and the occurrence of requests or redirects that direct cookie-bearing traffic to external, untrusted domains. Risk factors include applications that interact with many third-party services or have complex redirect logic while using the vulnerable library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0654?
Available Upgrade Options
- requestretry
- <7.0.0 → Upgrade to 7.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/fgribreau/node-request-retry/commit/0979c6001d9d57c2aac3157c11b007397158922a
- https://osv.dev/vulnerability/GHSA-hjp8-2cm3-cc45
- https://huntr.dev/bounties/a779faf5-c2cc-48be-a31d-4ddfac357afc
- https://github.com/fgribreau/node-request-retry/commit/0979c6001d9d57c2aac3157c11b007397158922a
- https://nvd.nist.gov/vuln/detail/CVE-2022-0654
- https://huntr.dev/bounties/a779faf5-c2cc-48be-a31d-4ddfac357afc
What are Similar Vulnerabilities to CVE-2022-0654?
Similar Vulnerabilities: CVE-2021-23348 , CVE-2021-23363 , CVE-2021-23368 , CVE-2021-23369 , CVE-2021-23420
