VYPR
High severity7.5OSV Advisory· Published Jan 6, 2025· Updated Jun 17, 2026

CVE-2025-21620

CVE-2025-21620

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
deno_fetchcrates.io
>= 0.0.1, < 0.204.00.204.0
denocrates.io
<= 1.46.3
denocrates.io
>= 2.0.0, < 2.1.22.1.2

Affected products

3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.