@hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects
Description
Impact
When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the original trust boundary.
Redirect following is opt-in. The redirects option defaults to false (no redirections followed), so applications are only affected if they have explicitly set redirects to a positive integer on the request or via Wreck.defaults({ redirects: ... }).
Patches
@hapi/wreck 18.1.1 extends the cross-hostname strip set to include proxy-authorization. Upgrade to 18.1.1 or later.
Workarounds
If upgrading is not immediately possible: - Leave redirects at its default (false) — applications that never enable redirect following are not affected. - If redirects are required, set redirects: 0 when calling endpoints with sensitive headers, or strip Proxy-Authorization from the headers before issuing the request. - Use the beforeRedirect hook to manually strip proxy-authorization (and any other sensitive application headers) when redirectOptions targets a different hostname than the original request.
### Resources - Related: CVE-2024-30260 / GHSA-3787-6prv-h9w3 (undici) - RFC 7235 §4.4 — Proxy-Authorization
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@hapi/wrecknpm | < 18.1.1 | 18.1.1 |
Affected products
22- osv-coords21 versionspkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kibana-9.4pkg:apk/chainguard/kibana-9.4-iamguardedpkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/opensearch-dashboards-3-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-security-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-3-security-dashboards-plugin
< 8.17.10-r22+ 20 more
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 8.19.16-r3
- (no CPE)range: < 8.19.16-r3
- (no CPE)range: < 8.19.16-r3
- (no CPE)range: < 9.0.8-r26
- (no CPE)range: < 9.0.8-r26
- (no CPE)range: < 9.0.8-r26
- (no CPE)range: < 9.1.10-r19
- (no CPE)range: < 9.1.10-r19
- (no CPE)range: < 9.2.8-r4
- (no CPE)range: < 9.2.8-r4
- (no CPE)range: < 9.3.5-r0
- (no CPE)range: < 9.3.5-r0
- (no CPE)range: < 9.4.2-r0
- (no CPE)range: < 9.4.2-r0
- (no CPE)range: < 3.7.0-r2
- (no CPE)range: < 3.7.0-r0
- (no CPE)range: < 3.7.0-r0
- (no CPE)range: < 3.7.0-r0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.