Listen to this Post
Intro
When `SimpleAsyncHTTPClient` follows a 3xx redirect, it makes a shallow copy of the original HTTP request. It updates the request URL, decreases the redirect counter, and removes only the `Host` header. It does not clear Authorization, auth_username, auth_password, or `auth_mode` when the redirect target belongs to a different origin.
Because the default setting is follow_redirects=True, credentials meant for one origin are sent to a completely different origin when a redirection occurs.
Starting with Tornado 6.5.6, `SimpleAsyncHTTPClient` matches the behavior of `CurlAsyncHTTPClient` (and libcurl): if a redirect changes the scheme, host, or port, both `Authorization` and `Cookie` headers are stripped before following the redirect.
DailyCVE Form:
Platform: Tornado
Version: <6.5.6
Vulnerability: Credential leak redirect
Severity: High
date: May 27, 2026
Prediction: Already patched (6.5.6)
What Undercode Say
Check vulnerable version
pip show tornado | grep Version
Test redirect behavior (vulnerable)
python3 <<EOF
from tornado.httpclient import AsyncHTTPClient, HTTPRequest
import asyncio
async def test():
req = HTTPRequest("http://trusted-site.com/redirect-to-attacker",
headers={"Authorization": "Bearer secret"})
client = AsyncHTTPClient()
resp = await client.fetch(req)
print(resp.code)
asyncio.run(test())
EOF
Exploit
An attacker who controls a redirect endpoint (via open redirect, DNS rebinding, or MITM) can capture `Bearer` tokens, Basic auth credentials, or any other value placed in the `Authorization` header because the victim’s Tornado client forwards those credentials to the attacker’s origin.
Protection
Upgrade Tornado to 6.5.6 or later. If you cannot upgrade, set `follow_redirects=False` and manually handle redirects, or switch to `CurlAsyncHTTPClient` which already stripped sensitive headers on cross‑origin redirects.
Impact
Unauthorized disclosure of authentication tokens and credentials to malicious third parties, leading to account takeover, data breaches, and privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
