CVE-2024-28849
Credential Leakage vulnerability in follow-redirects (npm)
What is CVE-2024-28849 About?
This vulnerability in `axios`'s `follow-redirects` dependency causes `Proxy-Authorization` headers to be retained during cross-domain redirects. This can lead to the unintended leakage of proxy credentials to an unauthorized third party. It is relatively easy to exploit if a client application uses `axios` and `follow-redirects` in an environment with proxy authentication and follows cross-domain redirects.
Affected Software
Technical Details
The vulnerability in axios, specifically through its follow-redirects dependency, lies in the header sanitization logic during a cross-domain redirect. While follow-redirects correctly clears sensitive headers like Authorization and Cookie when a redirect leads to a different domain, it fails to clear the Proxy-Authorization header. This header, which contains credentials for authenticating with a proxy server, is inadvertently forwarded to the new, potentially malicious, cross-domain destination. The attack vector involves an attacker controlling the target of a cross-domain redirect, allowing them to capture the Proxy-Authorization header sent unintentionally by the vulnerable client.
What is the Impact of CVE-2024-28849?
Successful exploitation may allow attackers to intercept and obtain sensitive proxy authentication credentials, potentially leading to unauthorized access to internal network resources or further attacks.
What is the Exploitability of CVE-2024-28849?
Exploitation requires a client application using axios with follow-redirects to perform a cross-domain redirect. The attacker needs to control the redirect target (e.g., via a malicious website, compromised server, or by manipulating DNS for a legitimate redirect target). No authentication is required on behalf of the attacker, but the victim client needs to be configured with a Proxy-Authorization header. This is a remote vulnerability, as the attacker receives the leaked header from the victim client. The complexity is low to moderate, given common redirect scenarios. The likelihood of exploitation increases if axios clients are deployed in environments heavily reliant on authenticated proxies and frequently interact with external, potentially untrusted, domains via redirects.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-28849?
About the Fix from Resolved Security
The patch expands the removal of sensitive headers during HTTP redirects to include both "proxy-authorization" and "authorization" headers, not just "authorization" and "cookie" as before. This addresses CVE-2024-28849 by preventing leaks of proxy authentication credentials when redirecting to external origins, eliminating the risk of credential exposure.
Available Upgrade Options
- follow-redirects
- <1.15.6 → Upgrade to 1.15.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/follow-redirects/follow-redirects
- https://hackerone.com/reports/2390009
- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/
- https://nvd.nist.gov/vuln/detail/CVE-2024-28849
- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
- https://github.com/psf/requests/issues/1885
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z
- https://hackerone.com/reports/2390009
- https://osv.dev/vulnerability/GHSA-cxjh-pqwp-8mfp
What are Similar Vulnerabilities to CVE-2024-28849?
Similar Vulnerabilities: CVE-2023-43644 , CVE-2022-24765 , CVE-2021-37704 , CVE-2020-15104 , CVE-2019-10752
