Description
When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be “sanitized.
Recommendation
Update the eventsource package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 2.0.2 < 1.1.1** Patched version(s): **2.0.2 1.1.1**
References
- GHSA-6h5x-7c5m-7cr7
- huntr.dev
- lists.debian.org
- CVE-2022-1650
- CWE-200
- CWE-212
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- mongosh vulnerable to local privilege escalation - CVE-2025-1756
- Elliptic's EDDSA missing signature length check - CVE-2024-42459
- Nuxt Devtools has a Path Traversal: '../filedir - CVE-2024-23657
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- eventsource
Anything's wrong? Let us know Last updated on November 28, 2023