follow-redirects' Proxy-Authorization header kept across hosts
翻訳中…プラットフォーム
nodejs
コンポーネント
follow-redirects
修正版
1.15.7
1.15.6
CVE-2024-28849 affects the follow-redirects dependency used by the Axios HTTP client. This vulnerability arises because the follow-redirects package only clears the Authorization header during cross-domain redirects, but fails to remove the Proxy-Authorization header, which may contain sensitive credentials. Exploitation could lead to unauthorized access and data breaches, impacting applications relying on Axios for network requests.
影響と攻撃シナリオ翻訳中…
The primary impact of CVE-2024-28849 is the potential exposure of credentials transmitted via the Proxy-Authorization header. An attacker controlling a malicious intermediary server (e.g., a rogue proxy) can intercept requests and responses during cross-domain redirects. Because the Proxy-Authorization header is not properly cleared, it is included in the redirected request, allowing the attacker to steal the credentials. This could enable the attacker to impersonate the user or application, gaining unauthorized access to internal resources. The blast radius extends to any application using Axios with the vulnerable follow-redirects version and relying on proxy authentication. While not directly exploitable for remote code execution, the credential theft can be a stepping stone for further attacks.
悪用の状況翻訳中…
CVE-2024-28849 was published on March 14, 2024. There is currently no indication of active exploitation in the wild. Public proof-of-concept (POC) code is available, demonstrating the vulnerability. The EPSS score is likely low to medium, reflecting the need for a controlled environment to exploit the vulnerability and the relatively limited impact compared to RCE vulnerabilities. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
脅威インテリジェンス
エクスプロイト状況
EPSS
0.92% (76% パーセンタイル)
CVSS ベクトル
これらのメトリクスの意味は?
- Attack Vector
- ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
- Attack Complexity
- 低 — 特別な条件不要。安定して悪用可能。
- Privileges Required
- 低 — 有効なユーザーアカウントがあれば十分。
- User Interaction
- なし — 自動かつ無音の攻撃。被害者は何もしない。
- Scope
- 変化なし — 影響は脆弱なコンポーネントのみ。
- Confidentiality
- 高 — 機密性の完全喪失。全データが読み取り可能。
- Integrity
- なし — 完全性への影響なし。
- Availability
- なし — 可用性への影響なし。
影響を受けるソフトウェア
パッケージ情報
- 最終更新
- 1.16.0最近
弱点分類 (CWE)
タイムライン
- 予約済み
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2024-28849 is to upgrade the follow-redirects dependency to version 1.15.6 or later. This version includes a fix that properly clears both the Authorization and Proxy-Authorization headers during cross-domain redirects. If upgrading Axios directly is not feasible due to compatibility issues, consider implementing a temporary workaround by filtering or removing the Proxy-Authorization header before sending requests. This can be achieved using a reverse proxy or a custom middleware. Implement WAF rules to detect and block requests containing sensitive headers in redirects. After upgrading, confirm the fix by sending a request with a Proxy-Authorization header through a cross-domain redirect and verifying that the header is not present in the redirected response.
修正方法翻訳中…
Actualice la biblioteca follow-redirects a la versión 1.15.6 o superior. Esto solucionará la vulnerabilidad que permite la fuga de credenciales al mantener el encabezado Proxy-Authorization entre hosts durante las redirecciones. Ejecute `npm install follow-redirects@latest` o `yarn add follow-redirects@latest` para actualizar.
CVEセキュリティニュースレター
脆弱性分析と重要アラートをメールでお届けします。
よくある質問翻訳中…
What is CVE-2024-28849 in follow-redirects?
It's a medium-severity vulnerability in Axios' follow-redirects dependency that allows proxy authentication headers to leak during cross-domain redirects, potentially exposing credentials.
Am I affected by CVE-2024-28849 in follow-redirects?
If you're using Axios with a version of follow-redirects prior to 1.15.6, you are potentially affected. Assess your dependencies and upgrade accordingly.
How do I fix CVE-2024-28849 in follow-redirects?
Upgrade the follow-redirects dependency to version 1.15.6 or later. If direct upgrade isn't possible, consider a temporary workaround like filtering the Proxy-Authorization header.
Is CVE-2024-28849 being actively exploited?
Currently, there's no evidence of active exploitation in the wild, but a public POC exists, so vigilance is advised.
Where can I find the official follow-redirects advisory for CVE-2024-28849?
Refer to the Axios GitHub repository ([https://github.com/axios/axios](https://github.com/axios/axios)) and the CVE entry on NVD for more details.