CVE-2025-49593: Insecure Header Blocklist
A blocklist approach is used to remove HTTP headers. This is insecure because new or lesser-known sensitive headers (e.g., 'Authorization', 'X-Api-Key') will bypass this filter and be forwarded or logged, potentially leading to credential theft. Implement a strict allowlist by iterating over all request headers and preserving only those explicitly marked as
greprules fetch cve-2025-49593-insecure-header-blocklist --engine opengrepDescription
A blocklist approach is used to remove HTTP headers. This is insecure because new or lesser-known sensitive headers (e.g., 'Authorization', 'X-Api-Key') will bypass this filter and be forwarded or logged, potentially leading to credential theft. Implement a strict allowlist by iterating over all request headers and preserving only those explicitly marked as
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.