Platform
nodejs
Component
follow-redirects
Fixed in
1.15.7
1.15.6
CVE-2024-28849 affects the follow-redirects dependency used by the Axios HTTP client. This vulnerability arises because the follow-redirects package only clears the Authorization header during cross-domain redirects, but fails to remove the Proxy-Authorization header, which may contain sensitive credentials. Exploitation could lead to unauthorized access and data breaches, impacting applications relying on Axios for network requests.
The primary impact of CVE-2024-28849 is the potential exposure of credentials transmitted via the Proxy-Authorization header. An attacker controlling a malicious intermediary server (e.g., a rogue proxy) can intercept requests and responses during cross-domain redirects. Because the Proxy-Authorization header is not properly cleared, it is included in the redirected request, allowing the attacker to steal the credentials. This could enable the attacker to impersonate the user or application, gaining unauthorized access to internal resources. The blast radius extends to any application using Axios with the vulnerable follow-redirects version and relying on proxy authentication. While not directly exploitable for remote code execution, the credential theft can be a stepping stone for further attacks.
CVE-2024-28849 was published on March 14, 2024. There is currently no indication of active exploitation in the wild. Public proof-of-concept (POC) code is available, demonstrating the vulnerability. The EPSS score is likely low to medium, reflecting the need for a controlled environment to exploit the vulnerability and the relatively limited impact compared to RCE vulnerabilities. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.92% (76% percentile)
CVSS Vector
The primary mitigation for CVE-2024-28849 is to upgrade the follow-redirects dependency to version 1.15.6 or later. This version includes a fix that properly clears both the Authorization and Proxy-Authorization headers during cross-domain redirects. If upgrading Axios directly is not feasible due to compatibility issues, consider implementing a temporary workaround by filtering or removing the Proxy-Authorization header before sending requests. This can be achieved using a reverse proxy or a custom middleware. Implement WAF rules to detect and block requests containing sensitive headers in redirects. After upgrading, confirm the fix by sending a request with a Proxy-Authorization header through a cross-domain redirect and verifying that the header is not present in the redirected response.
Actualice la biblioteca follow-redirects a la versión 1.15.6 o superior. Esto solucionará la vulnerabilidad que permite la fuga de credenciales al mantener el encabezado Proxy-Authorization entre hosts durante las redirecciones. Ejecute `npm install follow-redirects@latest` o `yarn add follow-redirects@latest` para actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
It's a medium-severity vulnerability in Axios' follow-redirects dependency that allows proxy authentication headers to leak during cross-domain redirects, potentially exposing credentials.
If you're using Axios with a version of follow-redirects prior to 1.15.6, you are potentially affected. Assess your dependencies and upgrade accordingly.
Upgrade the follow-redirects dependency to version 1.15.6 or later. If direct upgrade isn't possible, consider a temporary workaround like filtering the Proxy-Authorization header.
Currently, there's no evidence of active exploitation in the wild, but a public POC exists, so vigilance is advised.
Refer to the Axios GitHub repository ([https://github.com/axios/axios](https://github.com/axios/axios)) and the CVE entry on NVD for more details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.