Platform
nodejs
Component
follow-redirects
Fixed in
1.14.8
CVE-2022-0536 describes an improper removal of sensitive information before storage or transfer vulnerability in the follow-redirects package prior to version 1.14.8. This flaw can lead to unintentional exposure of sensitive data, potentially impacting applications relying on this package. The vulnerability affects Node.js projects utilizing versions of follow-redirects less than or equal to 1.14.8. A fix is available in version 1.14.8.
The core of this vulnerability lies in the follow-redirects package's handling of sensitive data during redirection processes. Specifically, the package fails to adequately sanitize or remove sensitive information (such as authentication tokens, API keys, or personally identifiable information) before storing or transferring it. An attacker could potentially exploit this by crafting malicious URLs that trigger redirection chains, leading to the unintentional leakage of this sensitive data. The blast radius is primarily limited to applications directly using the follow-redirects package, but the potential for data exposure necessitates prompt remediation. While the CVSS score is LOW, the sensitivity of the data potentially exposed warrants careful attention.
CVE-2022-0536 was publicly disclosed on February 9, 2022. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The EPSS score is likely low due to the relatively simple nature of the vulnerability and the lack of readily available exploits. No KEV listing is present. Public proof-of-concept code is not widely available.
Exploit Status
EPSS
0.09% (26% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0536 is to upgrade the follow-redirects package to version 1.14.8 or later. This version includes the necessary fixes to properly handle sensitive data during redirection. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output sanitization within your application to minimize the risk of data exposure. While a WAF or proxy cannot directly address this vulnerability, they can be configured to inspect and filter potentially malicious URLs. After upgrading, confirm the fix by testing redirection flows with known sensitive data to ensure it is not being inadvertently exposed.
Update the follow-redirects dependency to version 1.14.8 or higher. This will resolve the vulnerability that exposes sensitive information before it is stored or transferred. Run `npm install follow-redirects@latest` or `yarn upgrade follow-redirects@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0536 is a vulnerability in the NPM follow-redirects package where sensitive data isn't properly removed before storage or transfer, potentially leading to information disclosure. It's rated LOW severity.
You are affected if you are using follow-redirects version 1.14.8 or earlier in your Node.js project. Check your dependencies with npm list follow-redirects.
Upgrade the follow-redirects package to version 1.14.8 or later using npm install follow-redirects@latest.
There is currently no evidence of active exploitation campaigns targeting CVE-2022-0536.
Refer to the NPM advisory for details: https://www.npmjs.com/advisories/1022
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.