CVE-2022-0155 Overview
CVE-2022-0155 is a sensitive data exposure vulnerability in the follow-redirects npm package, a popular Node.js library used to handle HTTP and HTTPS redirects. The vulnerability allows unauthorized exposure of private personal information when HTTP requests containing sensitive headers are redirected to a different domain. Specifically, the library failed to strip confidential headers like Cookie when following redirects across domains, potentially exposing session tokens and authentication credentials to unintended third-party hosts.
Critical Impact
Sensitive authentication headers including cookies can be leaked to unauthorized domains when following HTTP redirects, potentially leading to session hijacking and unauthorized access to user accounts.
Affected Products
- follow-redirects (Node.js package) - versions prior to the security patch
- Siemens SINEC INS - various versions including 1.0 and 1.0 SP1
- Any application using vulnerable versions of the follow-redirects dependency
Discovery Timeline
- 2022-01-10 - CVE-2022-0155 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0155
Vulnerability Analysis
This vulnerability is classified as CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). The core issue stems from inadequate header sanitization during cross-domain redirects. When an HTTP client using follow-redirects makes a request to a domain that responds with a redirect to a different domain, the library should strip sensitive headers to prevent credential leakage. Prior to the fix, only the Authorization header was being removed during cross-domain redirects, while the Cookie header was preserved and sent to the redirect destination.
The vulnerability requires user interaction in that a victim must initiate a request that gets redirected, but the attack complexity is low as it only requires an attacker to control or influence the redirect destination. The impact is a high confidentiality breach with no integrity or availability impact.
Root Cause
The root cause lies in the incomplete implementation of header sanitization logic in the follow-redirects library. The original code only removed the Authorization header when detecting a cross-domain redirect, failing to account for other sensitive headers such as Cookie. This oversight meant that session tokens, authentication cookies, and other sensitive data stored in cookies would be forwarded to any domain the request was redirected to.
Attack Vector
An attacker can exploit this vulnerability by controlling a redirect destination or by performing a man-in-the-middle attack to inject redirect responses. When a legitimate application makes an HTTP request with cookies attached and follows a malicious redirect, the cookies are sent to the attacker-controlled domain. This network-based attack vector allows for remote exploitation without requiring authentication.
Attack scenarios include:
- Compromised or malicious websites that redirect API requests to attacker-controlled domains
- Open redirect vulnerabilities chained with this cookie leakage
- DNS hijacking scenarios where legitimate domains redirect to malicious endpoints
var redirectUrlParts = url.parse(redirectUrl);
Object.assign(this._options, redirectUrlParts);
- // Drop the Authorization header if redirecting to another domain
+ // Drop the confidential headers when redirecting to another domain
if (!(redirectUrlParts.host === currentHost || isSubdomainOf(redirectUrlParts.host, currentHost))) {
- removeMatchingHeaders(/^authorization$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
}
// Evaluate the beforeRedirect callback
Source: GitHub Commit 8b347cbcef7c7b72a6e9be20f5710c17d6163c22
The patch expands the header removal regex pattern from only matching authorization to matching both authorization and cookie headers, ensuring both sensitive credential types are stripped during cross-domain redirects.
Detection Methods for CVE-2022-0155
Indicators of Compromise
- Unexpected outbound HTTP/HTTPS requests from your application to unknown or suspicious domains containing cookie headers
- Network traffic logs showing session cookies or authentication tokens being sent to third-party domains
- Application logs indicating redirect chains that cross trust boundaries with preserved authentication headers
Detection Strategies
- Implement Software Composition Analysis (SCA) tools to identify vulnerable versions of follow-redirects in your dependency tree
- Monitor network egress traffic for cookie header leakage to non-approved domains
- Use npm audit or similar dependency scanning tools to flag CVE-2022-0155 in your Node.js projects
- Review application logs for unexpected redirect patterns that may indicate exploitation attempts
Monitoring Recommendations
- Configure network monitoring to alert on cookie headers being sent to domains outside your trusted list
- Implement dependency vulnerability scanning in CI/CD pipelines to catch vulnerable package versions
- Monitor for anomalous session activity that could indicate stolen cookies being used by attackers
- Set up alerts for applications following excessive redirect chains that may indicate redirect-based attacks
How to Mitigate CVE-2022-0155
Immediate Actions Required
- Update the follow-redirects package to the latest patched version immediately
- Audit your package.json and package-lock.json files for both direct and transitive dependencies on follow-redirects
- Review network logs for potential past exploitation of this vulnerability
- Invalidate and rotate session tokens and cookies for any applications that may have been affected
Patch Information
The vulnerability has been addressed in a security patch available from the upstream maintainers. The fix modifies the header sanitization logic to include the Cookie header alongside the Authorization header when performing cross-domain redirects. Organizations should update to the patched version by running npm update follow-redirects or specifying the fixed version in their package dependencies.
For Siemens SINEC INS users, refer to the Siemens Security Advisory SSA-637483 for specific remediation guidance.
Additional resources:
Workarounds
- Manually strip sensitive headers before making requests that may result in redirects
- Configure your HTTP client to disable automatic redirect following and handle redirects manually with proper header sanitization
- Implement network-level controls to prevent requests with sensitive headers from reaching untrusted domains
- Use a web application firewall (WAF) to block or sanitize outbound requests containing session cookies to non-approved destinations
# Check for vulnerable follow-redirects versions in your project
npm audit | grep follow-redirects
# Update follow-redirects to the latest patched version
npm update follow-redirects
# Verify the installed version
npm list follow-redirects
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
