High severity7.5OSV Advisory· Published Jan 6, 2025· Updated Jun 17, 2026
CVE-2025-21620
CVE-2025-21620
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
deno_fetchcrates.io | >= 0.0.1, < 0.204.0 | 0.204.0 |
denocrates.io | <= 1.46.3 | — |
denocrates.io | >= 2.0.0, < 2.1.2 | 2.1.2 |
Affected products
3- ghsa-coords2 versions
<= 1.46.3+ 1 more
- (no CPE)range: <= 1.46.3
- (no CPE)range: >= 0.0.1, < 0.204.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.