Skip to content

[Security] Bump follow-redirects from 1.15.5 to 1.15.6

Bumps follow-redirects from 1.15.5 to 1.15.6. This update includes a security fix.

Vulnerabilities fixed

follow-redirects' Proxy-Authorization header kept across hosts When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

axios Test Code

const axios = require('axios');

axios.get('http://127.0.0.1:10081/',{ headers: { 'AuThorization': 'Rear Test', 'ProXy-AuthoriZation': 'Rear Test', 'coOkie': 't=1' } }).then(function (response) { console.log(response); }) When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Request sent by axios

... (truncated)

Patched versions: 1.15.6 Affected versions: <= 1.15.5

Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading