follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
- Severity:
- Medium
Description
When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.
Recommendation
Update the follow-redirects package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.15.11
- Patched version(s): 1.16.0
References
Related Issues
- Follow Redirects improperly handles URLs in the url.parse() function - CVE-2023-26159
- Exposure of sensitive information in follow-redirects - CVE-2022-0155
- Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - CVE-2022-0536
- follow-redirects' Proxy-Authorization header kept across hosts - CVE-2024-28849
You might also like:
- Tags:
- npm
- follow-redirects
Anything's wrong? Let us know Last updated on April 14, 2026