CVE-2024-28849 — follow-redirects' Proxy-Authorization header kept across hosts

Description

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

How to fix CVE-2024-28849

To remediate CVE-2024-28849, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.15.6 or later

Is CVE-2024-28849 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 1.15.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-28849
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-28849
PATCHgithub.com/follow-redirects/follow-redirects
WEBfetch.spec.whatwg.org/#authentication-entries