CVE-2022-0355 Overview
CVE-2022-0355 is a sensitive information exposure vulnerability affecting the simple-get NPM package, a popular HTTP/HTTPS request library for Node.js applications. The vulnerability allows sensitive headers, including authentication cookies and authorization tokens, to be inadvertently leaked to third-party domains during HTTP redirect operations.
When simple-get follows HTTP redirects (3xx status codes), it fails to strip sensitive headers before making requests to the redirected host. This enables an attacker controlling a redirect target to capture authentication credentials, session cookies, and other sensitive information transmitted in request headers.
Critical Impact
Sensitive authentication headers including cookies and authorization tokens can be leaked to malicious third-party domains during HTTP redirects, potentially leading to account compromise and unauthorized access.
Affected Products
- simple-get versions prior to 4.0.1
- simple-get version 4.0.0
- All Node.js applications using vulnerable simple-get versions for HTTP requests
Discovery Timeline
- 2022-01-26 - CVE CVE-2022-0355 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0355
Vulnerability Analysis
This vulnerability is classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer). The core issue lies in how simple-get handles HTTP redirect responses without properly sanitizing request headers when the redirect target is a different host than the original request destination.
When a server responds with a 3xx redirect status code, simple-get automatically follows the redirect but preserves the original request headers. This behavior is problematic because sensitive authentication information intended only for the original server is transmitted to the redirect destination, which may be controlled by an attacker.
The vulnerability can be exploited through a network-based attack without requiring any user interaction or special privileges. An attacker can set up a malicious server that returns redirect responses pointing to their controlled endpoint, effectively harvesting any sensitive headers from unsuspecting applications.
Root Cause
The root cause is the failure to distinguish between same-origin and cross-origin redirects when handling HTTP 3xx responses. The library blindly follows redirects while carrying over all original request headers, including security-sensitive ones like cookie and authorization. This violates the security principle that credentials should only be sent to their intended destination.
Attack Vector
An attacker can exploit this vulnerability by:
- Setting up a malicious server that responds with a 3xx redirect to an attacker-controlled endpoint
- Tricking a vulnerable application into making a request to the malicious server (e.g., through user-supplied URLs, open redirects, or compromised resources)
- The vulnerable simple-get library follows the redirect and sends all original headers, including sensitive authentication data
- The attacker's endpoint receives and captures the leaked credentials
The security patch addresses this by tracking the original hostname and comparing it against the redirect target, removing sensitive headers when a cross-origin redirect is detected:
if (opts.json) opts.headers.accept = 'application/json'
if (opts.method) opts.method = opts.method.toUpperCase()
+ const originalHost = opts.hostname // hostname before potential redirect
const protocol = opts.protocol === 'https:' ? https : http // Support http/https urls
const req = protocol.request(opts, res => {
if (opts.followRedirects !== false && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
opts.url = res.headers.location // Follow 3xx redirects
delete opts.headers.host // Discard `host` header on redirect (see #32)
res.resume() // Discard response
+ const redirectHost = url.parse(opts.url).hostname // eslint-disable-line node/no-deprecated-api
+ // If redirected host is different than original host, drop headers to prevent cookie leak (#73)
+ if (redirectHost !== null && redirectHost !== originalHost) {
+ delete opts.headers.cookie
+ delete opts.headers.authorization
+ }
+
if (opts.method === 'POST' && [301, 302].includes(res.statusCode)) {
opts.method = 'GET' // On 301/302 redirect, change POST to GET (see #35)
delete opts.headers['content-length']; delete opts.headers['content-type']
Source: GitHub Commit Update
Detection Methods for CVE-2022-0355
Indicators of Compromise
- Unexpected network connections to unknown third-party domains following legitimate API requests
- Authentication tokens or session cookies appearing in logs for external domains
- Anomalous redirect chains in HTTP traffic patterns
- Application logs showing credential usage from unexpected IP addresses or geographic locations
Detection Strategies
- Audit package.json and package-lock.json files for simple-get versions below 4.0.1
- Use software composition analysis (SCA) tools to identify vulnerable dependencies in the dependency tree
- Monitor network traffic for HTTP redirect chains that traverse multiple domains
- Implement dependency scanning in CI/CD pipelines to catch vulnerable package versions before deployment
Monitoring Recommendations
- Enable network traffic logging to detect cross-origin redirect patterns
- Implement alerts for authentication failures from unusual locations indicating potential credential theft
- Use runtime application security monitoring to detect sensitive header leakage
- Monitor NPM audit reports and security advisories for the simple-get package
How to Mitigate CVE-2022-0355
Immediate Actions Required
- Update simple-get to version 4.0.1 or later immediately across all projects
- Run npm audit to identify this and other vulnerable dependencies in your applications
- Review application code for user-controlled URLs being passed to simple-get
- Rotate any authentication tokens or credentials that may have been exposed through affected applications
Patch Information
The vulnerability is fixed in simple-get version 4.0.1. The fix implements hostname comparison logic that removes sensitive headers (cookie and authorization) when following redirects to different domains. The patch commit e4af095e06cd69a9235013e8507e220a79b9684f is available in the GitHub repository.
For additional details, refer to the GitHub Security Advisory and the Huntr Bounty Report.
Workarounds
- Disable automatic redirect following by setting followRedirects: false and manually handling redirects with header sanitization
- Implement URL allowlisting to restrict simple-get requests to known trusted domains only
- Use network-level controls to block outbound requests to untrusted destinations
- Consider using alternative HTTP client libraries with built-in cross-origin redirect protections
# Configuration example
# Update simple-get to the patched version
npm update simple-get@^4.0.1
# Or explicitly install the latest secure version
npm install simple-get@latest
# Verify the installed version
npm list simple-get
# Run security audit to check for remaining vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
