VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 14, 2024· Updated Feb 13, 2025

Proxy-Authorization header kept across hosts in follow-redirects

CVE-2024-28849

Description

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In follow-redirects, the Proxy-Authorization header is not cleared during cross-domain redirects, potentially leaking proxy credentials.

Vulnerability

Overview

follow-redirects is a Node.js module that automatically follows HTTP and HTTPS redirects. The vulnerability arises from incomplete clearing of sensitive headers during cross-domain redirects. While the Authorization and Cookie headers are stripped, the Proxy-Authorization header, which also carries credentials, is not removed. This inconsistency violates the Fetch Standard's requirement to clear all authentication entries when navigating across origins [1].

Exploitation

An attacker can exploit this by setting up a server that performs a cross-domain redirect. When a client using follow-redirects makes a request with a Proxy-Authorization header, the redirect will forward that header to a different origin, potentially controlled by the attacker. No special privileges are required; the attacker only needs to trigger a redirect from a domain the client trusts to a domain under their control [4].

Impact

Successful exploitation could lead to the leakage of proxy authentication credentials. If an attacker obtains these credentials, they may gain unauthorized access to proxy servers, potentially enabling further attacks such as traffic interception or impersonation within the network.

Mitigation

The issue is fixed in follow-redirects version 1.15.6. Users should upgrade immediately. There are no known workarounds for this vulnerability [4]. The advisory recommends updating the header matching regex to include proxy-authorization.

References
  1. Fetch Standard
  2. Proxy-Authorization header kept across hosts

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
follow-redirectsnpm
< 1.15.61.15.6

Affected products

83

Patches

1
c4f847f85176

Drop Proxy-Authorization across hosts.

https://github.com/follow-redirects/follow-redirectsRuben VerborghMar 14, 2024via ghsa
commit
2 files changed · +2 1
  • index.js+1 1 modified
    @@ -461,7 +461,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
      redirectUrl.protocol !== "https:" ||
      redirectUrl.host !== currentHost &&
      !isSubdomain(redirectUrl.host, currentHost)) {
-    removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+    removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
   }
 
   // Evaluate the beforeRedirect callback
  • test/test.js+1 0 modified
    @@ -1529,6 +1529,7 @@ describe("follow-redirects", function () {
 
   [
     "Authorization",
+    "Proxy-Authorization",
     "Cookie",
   ].forEach(function (header) {
     describe("when the client passes an header named " + header, function () {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.