Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects
traduction en cours…Plateforme
nodejs
Composant
follow-redirects
Corrigé dans
1.14.8
CVE-2022-0536 describes an improper removal of sensitive information before storage or transfer vulnerability in the follow-redirects package prior to version 1.14.8. This flaw can lead to unintentional exposure of sensitive data, potentially impacting applications relying on this package. The vulnerability affects Node.js projects utilizing versions of follow-redirects less than or equal to 1.14.8. A fix is available in version 1.14.8.
Impact et Scénarios d'Attaquetraduction en cours…
The core of this vulnerability lies in the follow-redirects package's handling of sensitive data during redirection processes. Specifically, the package fails to adequately sanitize or remove sensitive information (such as authentication tokens, API keys, or personally identifiable information) before storing or transferring it. An attacker could potentially exploit this by crafting malicious URLs that trigger redirection chains, leading to the unintentional leakage of this sensitive data. The blast radius is primarily limited to applications directly using the follow-redirects package, but the potential for data exposure necessitates prompt remediation. While the CVSS score is LOW, the sensitivity of the data potentially exposed warrants careful attention.
Contexte d'Exploitationtraduction en cours…
CVE-2022-0536 was publicly disclosed on February 9, 2022. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The EPSS score is likely low due to the relatively simple nature of the vulnerability and the lack of readily available exploits. No KEV listing is present. Public proof-of-concept code is not widely available.
Qui Est à Risquetraduction en cours…
Node.js developers and organizations utilizing the follow-redirects package in their projects are at risk. This includes applications that heavily rely on redirection functionality, such as web scraping tools, API clients, and proxy servers. Projects using older versions of Node.js or those with complex dependency management systems are particularly vulnerable.
Étapes de Détectiontraduction en cours…
• nodejs / supply-chain:
npm list follow-redirectsIf the output shows a version <= 1.14.8, the system is vulnerable. • nodejs / supply-chain:
npm audit follow-redirectsThis command will identify vulnerable dependencies in your project. • generic web: Examine application logs for unusual redirection patterns or requests containing sensitive data in URL parameters. Look for patterns indicative of attempted data exfiltration.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.09% (percentile 26%)
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Adjacent — nécessite une proximité réseau: même LAN, Bluetooth ou segment local.
- Attack Complexity
- Élevée — nécessite une condition de course, configuration non standard ou circonstances spécifiques.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Faible — accès partiel ou indirect à certaines données.
- Integrity
- Aucun — aucun impact sur l'intégrité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Informations sur le paquet
- Dernière mise à jour
- 1.16.0récemment
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2022-0536 is to upgrade the follow-redirects package to version 1.14.8 or later. This version includes the necessary fixes to properly handle sensitive data during redirection. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output sanitization within your application to minimize the risk of data exposure. While a WAF or proxy cannot directly address this vulnerability, they can be configured to inspect and filter potentially malicious URLs. After upgrading, confirm the fix by testing redirection flows with known sensitive data to ensure it is not being inadvertently exposed.
Comment corrigertraduction en cours…
Actualice la dependencia follow-redirects a la versión 1.14.8 o superior. Esto solucionará la vulnerabilidad que expone información sensible antes de ser almacenada o transferida. Ejecute `npm install follow-redirects@latest` o `yarn upgrade follow-redirects@latest` para actualizar.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2022-0536 — Sensitive Data Leak in follow-redirects?
CVE-2022-0536 is a vulnerability in the NPM follow-redirects package where sensitive data isn't properly removed before storage or transfer, potentially leading to information disclosure. It's rated LOW severity.
Am I affected by CVE-2022-0536 in follow-redirects?
You are affected if you are using follow-redirects version 1.14.8 or earlier in your Node.js project. Check your dependencies with npm list follow-redirects.
How do I fix CVE-2022-0536 in follow-redirects?
Upgrade the follow-redirects package to version 1.14.8 or later using npm install follow-redirects@latest.
Is CVE-2022-0536 being actively exploited?
There is currently no evidence of active exploitation campaigns targeting CVE-2022-0536.
Where can I find the official follow-redirects advisory for CVE-2022-0536?
Refer to the NPM advisory for details: https://www.npmjs.com/advisories/1022
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.