Authorization header leak in rubygem Mechanize
Description
The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mechanize library before v2.8.5 leaks the Authorization header after a redirect to a different port on the same site.
Vulnerability
Overview
CVE-2022-31033 is a vulnerability in the Mechanize library, a Ruby tool for automating web interactions. In versions prior to 2.8.5, Mechanize fails to properly clear the Authorization header when following an HTTP redirect to a different port on the same host. The root cause is in the header-clearing logic within response_redirect: the code previously only cleared credential headers when redirecting to a different host, but did not account for port changes on the same host [1][2].
Exploitation
An attacker who can control a redirect target on the same site (for example, via an open redirect or by hosting a service on a different port) can cause the client to inadvertently transmit the Authorization header to a different origin. The attack requires network access to redirect the victim's Mechanize-based client, but no additional authentication is needed on the attacker's part [2]. The fix, implemented in commit c7fe6996, separates credential headers (Authorization) from cookie headers (Cookie) and ensures that Authorization is stripped when the port changes, while cookies are still allowed per RFC 6265 [2][3].
Impact
A successful exploit leads to the leakage of sensitive credentials (the Authorization header) to an unintended server port. This could allow an attacker to capture authentication tokens or Basic auth credentials, which may then be reused to impersonate the victim on other services using the same credentials [1][3].
Mitigation
Users should upgrade to Mechanize version 2.8.5 or later, which contains the fix. There are no known workarounds [1]. The vulnerability is patched and no active exploitation has been reported in public advisories.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mechanizeRubyGems | < 2.8.5 | 2.8.5 |
Affected products
2- sparklemotion/mechanizev5Range: < 2.8.5
Patches
1c7fe6996a5b9Merge pull request #600 from sparklemotion/flavorjones-redirect-headers
2 files changed · +32 −6
lib/mechanize/http/agent.rb+9 −4 modified@@ -9,7 +9,8 @@ class Mechanize::HTTP::Agent - CREDENTIAL_HEADERS = ['Authorization', 'Cookie'] + CREDENTIAL_HEADERS = ['Authorization'] + COOKIE_HEADERS = ['Cookie'] POST_HEADERS = ['Content-Length', 'Content-MD5', 'Content-Type'] # :section: Headers @@ -998,10 +999,14 @@ def response_redirect(response, method, page, redirects, headers, end # Make sure we clear credential headers if being redirected to another site - if new_uri.host != page.uri.host - CREDENTIAL_HEADERS.each do |ch| - headers.delete_if { |h| h.casecmp?(ch) } + if new_uri.host == page.uri.host + if new_uri.port != page.uri.port + # https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 + # cookies are OK to be shared across ports on the same host + CREDENTIAL_HEADERS.each { |ch| headers.delete_if { |h| h.casecmp?(ch) } } end + else + (COOKIE_HEADERS + CREDENTIAL_HEADERS).each { |ch| headers.delete_if { |h| h.casecmp?(ch) } } end fetch new_uri, redirect_method, headers, [], referer, redirects + 1
test/test_mechanize_http_agent.rb+23 −2 modified@@ -1569,7 +1569,7 @@ def test_response_redirect_to_cross_site_with_credential refute_includes(headers.keys, "AUTHORIZATION") refute_includes(headers.keys, "cookie") - assert_match 'range|bytes=0-9999', page.body + assert_match("range|bytes=0-9999", page.body) refute_match("authorization|Basic xxx", page.body) refute_match("cookie|name=value", page.body) end @@ -1590,11 +1590,32 @@ def test_response_redirect_to_same_site_with_credential assert_includes(headers.keys, "AUTHORIZATION") assert_includes(headers.keys, "cookie") - assert_match 'range|bytes=0-9999', page.body + assert_match("range|bytes=0-9999", page.body) assert_match("authorization|Basic xxx", page.body) assert_match("cookie|name=value", page.body) end + def test_response_redirect_to_same_site_diff_port_with_credential + @agent.redirect_ok = true + + headers = { + 'Range' => 'bytes=0-9999', + 'AUTHORIZATION' => 'Basic xxx', + 'cookie' => 'name=value', + } + + page = html_page '' + page = @agent.response_redirect({ 'Location' => 'http://example:81/http_headers' }, :get, + page, 0, headers) + + refute_includes(headers.keys, "AUTHORIZATION") + assert_includes(headers.keys, "cookie") + + assert_match("range|bytes=0-9999", page.body) + refute_match("authorization|Basic xxx", page.body) + assert_match("cookie|name=value", page.body) + end + def test_response_redirect_not_ok @agent.redirect_ok = false
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-64qm-hrgp-pgr9ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2022-31033ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2022-31033.ymlghsaWEB
- github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317ghsax_refsource_MISCWEB
- github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.