kibana - GHSA-r4q5-vmmm-2653
Back to Overview
Detailed information about this CVE

Severity

MEDIUM

Description

## Summary When an HTTP request follows a cross-domain redirect (301/302/307/308), `follow-redirects` only strips `authorization`, `proxy-authorization`, and `cookie` headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., `X-API-Key`, `X-Auth-Token`, `Api-Key`, `Token`) is forwarded verbatim to the redirect target. Since `follow-redirects` is the redirect-handling dependency for **axios** (105K+ stars), this vulnerability affects the entire axios ecosystem. ## Affected Code `index.js`, lines 469-476: ```javascript if (redirectUrl.protocol !== currentUrlParts.protocol && redirectUrl.protocol !== "https:" || redirectUrl.host !== currentHost && !isSubdomain(redirectUrl.host, currentHost)) { removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers); } ``` The regex only matches `authorization`, `proxy-authorization`, and `cookie`. Custom headers like `X-API-Key` are not matched. ## Attack Scenario 1. App uses axios with custom auth header: `headers: { 'X-API-Key': 'sk-live-secret123' }` 2. Server returns `302 Location: https://evil.com/steal` 3. follow-redirects sends `X-API-Key: sk-live-secret123` to `evil.com` 4. Attacker captures the API key ## Impact Any custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js. ## Suggested Fix Add a `sensitiveHeaders` option that users can extend, or strip ALL non-standard headers on cross-domain redirect. ## Disclosure Source code review, manually verified. Found 2026-03-20.

CVSS Scores

Affected Versions

  • 9.4.0
  • 9.3.4
  • 9.3.3
  • 9.3.2
  • 9.3.1
  • 9.3.0
  • 9.2.8
  • 9.2.7
  • 9.2.6
  • 9.2.5
  • 9.2.4
  • 9.2.3
  • 9.2.2
  • 9.2.1
  • 9.2.0
  • 9.1.10
  • 9.1.9
  • 9.1.8
  • 9.1.7
  • 9.1.6
  • 9.1.5
  • 9.1.4
  • 9.1.3
  • 9.1.2
  • 9.1.1
  • 9.1.0
  • 9.0.8
  • 9.0.7
  • 9.0.6
  • 9.0.5
  • 9.0.4
  • 9.0.3
  • 9.0.2
  • 9.0.1
  • 9.0.0
  • 8.19.15
  • 8.19.14
  • 8.19.13
  • 8.19.12
  • 8.19.11
  • 8.19.10
  • 8.19.9
  • 8.19.8
  • 8.19.7
  • 8.19.6
  • 8.19.5
  • 8.19.4
  • 8.19.3
  • 8.19.2
  • 8.19.1
  • 8.19.0
  • 8.18.8
  • 8.18.7
  • 8.18.6
  • 8.18.5
  • 8.18.4
  • 8.18.3
  • 8.18.2
  • 8.18.1
  • 8.18.0
  • 8.17.10
  • 8.17.9
  • 8.17.8
  • 8.17.7
  • 8.17.6
  • 8.17.5
  • 8.17.4
  • 8.17.3
  • 8.17.2
  • 8.17.1
  • 8.17.0
  • 8.16.6
  • 8.16.5
  • 8.16.4
  • 8.16.3
  • 8.16.2
  • 8.16.1
  • 8.16.0
  • 8.15.5
  • 8.15.4
  • 8.15.3
  • 8.15.2
  • 8.15.1
  • 8.15.0
  • 8.14.3
  • 8.14.2
  • 8.14.1
  • 8.14.0
  • 8.13.4
  • 8.13.3
  • 8.13.2
  • 8.13.1
  • 8.13.0
  • 8.12.2
  • 8.12.1
  • 8.12.0
  • 8.11.4
  • 8.11.3
  • 8.11.2
  • 8.11.1
  • 8.11.0
  • 8.10.4
  • 8.10.3
  • 8.10.2
  • 8.10.1
  • 8.9.2
  • 8.9.1
  • 8.9.0
  • 8.8.2
  • 8.8.1
  • 8.8.0
  • 8.7.1
  • 8.7.0
  • 8.6.2
  • 8.6.1
  • 8.6.0
  • 8.5.3
  • 8.5.2
  • 8.5.1
  • 8.5.0
  • 8.4.3
  • 8.4.2
  • 8.4.1
  • 8.4.0
  • 8.3.3
  • 8.3.2
  • 8.3.1
  • 8.3.0
  • 8.2.3
  • 8.2.2
  • 8.2.1
  • 8.2.0
  • 8.1.3
  • 8.1.2
  • 8.1.1
  • 8.1.0
  • 8.0.1
  • 8.0.0

Not Affected Versions