平台
nodejs
组件
follow-redirects
修复版本
1.14.8
CVE-2022-0536 describes an improper removal of sensitive information before storage or transfer vulnerability in the follow-redirects package prior to version 1.14.8. This flaw can lead to unintentional exposure of sensitive data, potentially impacting applications relying on this package. The vulnerability affects Node.js projects utilizing versions of follow-redirects less than or equal to 1.14.8. A fix is available in version 1.14.8.
The core of this vulnerability lies in the follow-redirects package's handling of sensitive data during redirection processes. Specifically, the package fails to adequately sanitize or remove sensitive information (such as authentication tokens, API keys, or personally identifiable information) before storing or transferring it. An attacker could potentially exploit this by crafting malicious URLs that trigger redirection chains, leading to the unintentional leakage of this sensitive data. The blast radius is primarily limited to applications directly using the follow-redirects package, but the potential for data exposure necessitates prompt remediation. While the CVSS score is LOW, the sensitivity of the data potentially exposed warrants careful attention.
CVE-2022-0536 was publicly disclosed on February 9, 2022. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The EPSS score is likely low due to the relatively simple nature of the vulnerability and the lack of readily available exploits. No KEV listing is present. Public proof-of-concept code is not widely available.
Node.js developers and organizations utilizing the follow-redirects package in their projects are at risk. This includes applications that heavily rely on redirection functionality, such as web scraping tools, API clients, and proxy servers. Projects using older versions of Node.js or those with complex dependency management systems are particularly vulnerable.
• nodejs / supply-chain:
npm list follow-redirectsIf the output shows a version <= 1.14.8, the system is vulnerable. • nodejs / supply-chain:
npm audit follow-redirectsThis command will identify vulnerable dependencies in your project. • generic web: Examine application logs for unusual redirection patterns or requests containing sensitive data in URL parameters. Look for patterns indicative of attempted data exfiltration.
disclosure
漏洞利用状态
EPSS
0.09% (26% 百分位)
CVSS 向量
The primary mitigation for CVE-2022-0536 is to upgrade the follow-redirects package to version 1.14.8 or later. This version includes the necessary fixes to properly handle sensitive data during redirection. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output sanitization within your application to minimize the risk of data exposure. While a WAF or proxy cannot directly address this vulnerability, they can be configured to inspect and filter potentially malicious URLs. After upgrading, confirm the fix by testing redirection flows with known sensitive data to ensure it is not being inadvertently exposed.
Actualice la dependencia follow-redirects a la versión 1.14.8 o superior. Esto solucionará la vulnerabilidad que expone información sensible antes de ser almacenada o transferida. Ejecute `npm install follow-redirects@latest` o `yarn upgrade follow-redirects@latest` para actualizar.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2022-0536 is a vulnerability in the NPM follow-redirects package where sensitive data isn't properly removed before storage or transfer, potentially leading to information disclosure. It's rated LOW severity.
You are affected if you are using follow-redirects version 1.14.8 or earlier in your Node.js project. Check your dependencies with npm list follow-redirects.
Upgrade the follow-redirects package to version 1.14.8 or later using npm install follow-redirects@latest.
There is currently no evidence of active exploitation campaigns targeting CVE-2022-0536.
Refer to the NPM advisory for details: https://www.npmjs.com/advisories/1022