CVE-2022-1650
Cookie leakage vulnerability in eventsource (npm)
What is CVE-2022-1650 About?
This vulnerability is a cookie leakage flaw where sensitive user information, including cookies and authorization headers, is inadvertently sent to third-party applications. This bypasses the same-origin policy, leading to unauthorized disclosure of user data. Exploitation is relatively easy as it occurs during typical URL fetching operations involving redirects.
Affected Software
- eventsource
- >2.0.0, <2.0.2
- <1.1.1
Technical Details
The vulnerability occurs when an application fetches a URL that contains a redirect to an external site. Contrary to the same-origin policy, which dictates that such headers should be sanitized to prevent cross-origin information leakage, the affected system improperly forwards the user's cookies and authorization headers to the third-party destination. This mechanism allows a malicious third-party site to receive sensitive session information that should have remained within the original domain.
What is the Impact of CVE-2022-1650?
Successful exploitation may allow attackers to gain unauthorized access to user accounts, compromise user sessions, or obtain sensitive information by capturing leaked authentication credentials and session tokens.
What is the Exploitability of CVE-2022-1650?
Exploitation of this vulnerability is of low complexity. It requires no specific authentication or elevated privileges. The attack is remote, contingent on a user interacting with an application that performs a redirect to an attacker-controlled or compromised third-party site while fetching a URL. The primary risk factor is the application's failure to properly sanitize headers during cross-origin redirects, making any URL fetching operation to a redirect an attack vector.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-1650?
About the Fix from Resolved Security
The patch addresses CVE-2022-1650 by ensuring that sensitive headers like Authorization and Cookie are stripped from HTTP requests when an EventSource connection is redirected to a different origin. This prevents credentials leakage to potentially untrusted servers, thereby preventing cross-origin credential exposure during redirects.
Available Upgrade Options
- eventsource
- <1.1.1 → Upgrade to 1.1.1
- eventsource
- >2.0.0, <2.0.2 → Upgrade to 2.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2022/12/msg00021.html
- https://osv.dev/vulnerability/GHSA-6h5x-7c5m-7cr7
- https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e
- https://github.com/EventSource/eventsource/commit/f9f6416567bff62c1af2f4314be51d9870e94bc2
- https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4
- https://github.com/eventsource/eventsource
- https://lists.debian.org/debian-lts-announce/2022/12/msg00021.html
- https://github.com/EventSource/eventsource/pull/273#issuecomment-1127624508
- https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4
- https://nvd.nist.gov/vuln/detail/CVE-2022-1650
What are Similar Vulnerabilities to CVE-2022-1650?
Similar Vulnerabilities: CVE-2023-28157 , CVE-2022-2900 , CVE-2022-42999 , CVE-2022-38686 , CVE-2018-1000635
