CVE-2022-0536 Overview
CVE-2022-0536 is an Improper Removal of Sensitive Information Before Storage or Transfer vulnerability in the NPM follow-redirects package prior to version 1.14.8. This vulnerability allows sensitive headers such as Authorization and Cookie to be inadvertently forwarded when a redirect occurs to a different protocol (scheme) but the same or a subdomain, potentially exposing credentials to unintended recipients.
Critical Impact
Confidential authentication headers may be leaked to third-party servers during HTTP redirects when the protocol changes (e.g., from HTTPS to HTTP), even when redirecting to the same domain.
Affected Products
- follow-redirects NPM package versions prior to 1.14.8
- Node.js applications using vulnerable versions of follow-redirects
- Any downstream packages or applications depending on affected follow-redirects versions
Discovery Timeline
- 2022-02-09 - CVE-2022-0536 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0536
Vulnerability Analysis
The vulnerability exists in how the follow-redirects library handles the removal of confidential HTTP headers during redirect operations. When a redirect occurs, the library is designed to strip sensitive headers like Authorization and Cookie to prevent credential leakage to untrusted domains. However, the original implementation only checked whether the redirect target was the same domain or a subdomain, failing to account for protocol (scheme) changes.
This oversight means that if an attacker can control a redirect destination with a different protocol (such as redirecting from HTTPS to HTTP on the same domain), confidential headers would be preserved and transmitted over the less secure connection or to an attacker-controlled server.
Root Cause
The root cause of CVE-2022-0536 is an incomplete security check in the redirect handling logic. The original code only verified domain consistency when deciding whether to drop confidential headers, but it did not verify protocol consistency. This allowed attackers to exploit protocol downgrade scenarios where credentials could be exposed over unencrypted HTTP connections or redirected to malicious endpoints.
Attack Vector
An attacker who can influence redirect URLs (through various means such as open redirect vulnerabilities, DNS manipulation, or compromised web servers) could exploit this vulnerability to capture sensitive authentication information. The attack requires network access and the ability to manipulate redirect targets. The confidentiality impact is high as authentication credentials could be exfiltrated, though exploitation complexity is elevated due to the network positioning requirements.
var redirectUrlParts = url.parse(redirectUrl);
Object.assign(this._options, redirectUrlParts);
- // Drop the confidential headers when redirecting to another domain
- if (!(redirectUrlParts.host === currentHost || isSubdomainOf(redirectUrlParts.host, currentHost))) {
+ // Drop confidential headers when redirecting to another scheme:domain
+ if (redirectUrlParts.protocol !== currentUrlParts.protocol ||
+ !isSameOrSubdomain(redirectUrlParts.host, currentHost)) {
removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
}
Source: GitHub Commit
The patch adds an additional check for protocol consistency (redirectUrlParts.protocol !== currentUrlParts.protocol), ensuring that confidential headers are stripped whenever the protocol changes, regardless of domain matching.
Detection Methods for CVE-2022-0536
Indicators of Compromise
- Unexpected HTTP traffic containing Authorization or Cookie headers to external or downgraded protocol endpoints
- Network logs showing credential headers being transmitted during redirect chains
- Application logs indicating protocol downgrades during HTTP redirects
Detection Strategies
- Implement Software Composition Analysis (SCA) to identify vulnerable versions of follow-redirects in your dependency tree
- Monitor network traffic for credential headers being transmitted to unexpected destinations
- Use npm audit or similar dependency scanning tools to detect outdated packages
Monitoring Recommendations
- Enable detailed logging for HTTP redirect operations in applications using follow-redirects
- Monitor for anomalous authentication failures that could indicate credential theft
- Implement network-level monitoring for HTTP requests containing authentication headers to non-HTTPS endpoints
How to Mitigate CVE-2022-0536
Immediate Actions Required
- Upgrade follow-redirects to version 1.14.8 or later immediately
- Audit all applications and dependencies for vulnerable versions of follow-redirects
- Review application logs for any suspicious redirect activity that may have exposed credentials
Patch Information
The vulnerability has been addressed in follow-redirects version 1.14.8. The fix adds protocol consistency checking to the confidential header stripping logic, ensuring that sensitive headers are removed when redirecting to a different protocol, even if the domain remains the same. For detailed patch information, see the GitHub commit.
Workarounds
- If immediate patching is not possible, implement network-level controls to prevent HTTP downgrade attacks
- Configure applications to explicitly reject redirects to non-HTTPS URLs when handling sensitive data
- Consider implementing custom redirect handlers that strip sensitive headers regardless of destination
# Upgrade follow-redirects to patched version
npm update follow-redirects
# Or install specific patched version
npm install follow-redirects@1.14.8
# Audit for vulnerable dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
