Skip to content

chore(deps): update dependency follow-redirects@<1.15.6 to ~1.16.0 [security]#472

Merged
EugeniyKiyashko merged 1 commit into
masterfrom
renovate/npm-follow-redirects-1.15.6-vulnerability
Apr 20, 2026
Merged

chore(deps): update dependency follow-redirects@<1.15.6 to ~1.16.0 [security]#472
EugeniyKiyashko merged 1 commit into
masterfrom
renovate/npm-follow-redirects-1.15.6-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 17, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
follow-redirects@<1.15.6 ~1.15.6~1.16.0 age confidence

GitHub Vulnerability Alerts

GHSA-r4q5-vmmm-2653

Summary

When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.

Since follow-redirects is the redirect-handling dependency for axios (105K+ stars), this vulnerability affects the entire axios ecosystem.

Affected Code

index.js, lines 469-476:

if (redirectUrl.protocol !== currentUrlParts.protocol &&
   redirectUrl.protocol !== "https:" ||
   redirectUrl.host !== currentHost &&
   !isSubdomain(redirectUrl.host, currentHost)) {
  removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
}

The regex only matches authorization, proxy-authorization, and cookie. Custom headers like X-API-Key are not matched.

Attack Scenario

  1. App uses axios with custom auth header: headers: { 'X-API-Key': 'sk-live-secret123' }
  2. Server returns 302 Location: https://evil.com/steal
  3. follow-redirects sends X-API-Key: sk-live-secret123 to evil.com
  4. Attacker captures the API key

Impact

Any custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.

Suggested Fix

Add a sensitiveHeaders option that users can extend, or strip ALL non-standard headers on cross-domain redirect.

Disclosure

Source code review, manually verified. Found 2026-03-20.

Severity
  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Release Notes

follow-redirects/follow-redirects (follow-redirects@<1.15.6)

v1.16.0

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Apr 17, 2026
@EugeniyKiyashko EugeniyKiyashko self-assigned this Apr 20, 2026
@EugeniyKiyashko EugeniyKiyashko merged commit 7eae58a into master Apr 20, 2026
68 checks passed
@EugeniyKiyashko EugeniyKiyashko deleted the renovate/npm-follow-redirects-1.15.6-vulnerability branch April 20, 2026 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EugeniyKiyashko EugeniyKiyashko EugeniyKiyashko approved these changes

Assignees

@EugeniyKiyashko EugeniyKiyashko

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@EugeniyKiyashko