CVE-2024-28849: Follow Redirects Proxy Auth Leak
The code strips 'authorization' headers to prevent credential leaks, but explicitly fails to strip 'proxy-authorization'. This can lead to proxy authentication credentials being leaked to untrusted third-party endpoints during cross-domain HTTP redirects. Ensure 'proxy-authorization' is also included in the target pool of sensitive headers to strip.
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
JS
JSgreprules fetch cve-2024-28849-follow-redirects-proxy-auth-leak --engine opengrepDescription
The code strips 'authorization' headers to prevent credential leaks, but explicitly fails to strip 'proxy-authorization'. This can lead to proxy authentication credentials being leaked to untrusted third-party endpoints during cross-domain HTTP redirects. Ensure 'proxy-authorization' is also included in the target pool of sensitive headers to strip.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0