CVE-2022-0654 Overview
CVE-2022-0654 is a sensitive information exposure vulnerability affecting the node-request-retry npm package prior to version 7.0.0. This vulnerability allows sensitive HTTP headers, specifically Cookie and Authorization headers, to be forwarded during URL redirects. When the library follows a redirect to a different domain, these authentication credentials could be leaked to unauthorized third parties.
Critical Impact
Sensitive authentication credentials including cookies and authorization tokens may be exposed to unauthorized actors when HTTP redirects are followed across domains, potentially leading to session hijacking or account takeover.
Affected Products
- node-request-retry versions prior to 7.0.0
- Node.js applications using vulnerable versions of node-request-retry
- Systems performing HTTP requests with automatic retry functionality through this library
Discovery Timeline
- 2022-02-23 - CVE-2022-0654 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0654
Vulnerability Analysis
This vulnerability is classified as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200). The node-request-retry library wraps the popular request module to add automatic retry functionality for failed HTTP requests. The security flaw exists in how the library handles HTTP redirects—when a request results in a redirect response, the library would forward all headers, including sensitive Cookie and Authorization headers, to the new destination URL regardless of whether it was on the same domain.
This behavior is particularly dangerous in scenarios where an attacker can control or influence the redirect destination, or when legitimate services redirect to third-party domains. The vulnerability can be exploited remotely without authentication and requires no user interaction, making it a network-accessible attack vector with low complexity.
Root Cause
The root cause of this vulnerability lies in the library's failure to sanitize or filter sensitive headers before following HTTP redirects. The original implementation did not differentiate between same-origin and cross-origin redirects, blindly forwarding all request headers including authentication credentials to any redirect target. This violates the security principle that authentication headers should not cross domain boundaries without explicit consent.
Attack Vector
An attacker could exploit this vulnerability by:
- Controlling a redirect endpoint that a vulnerable application makes requests to
- Configuring the redirect to point to an attacker-controlled server
- Capturing the forwarded Cookie and Authorization headers containing session tokens or API keys
- Using the captured credentials to impersonate legitimate users or access protected resources
The attack requires the vulnerable application to make HTTP requests with authentication headers to a URL that can be redirected, either through attacker control or by leveraging open redirect vulnerabilities in legitimate services.
var request = require('request');
var RetryStrategies = require('./strategies');
var _ = require('lodash');
+var url = require('url');
+var querystring = require("querystring");
var DEFAULTS = {
maxAttempts: 5, // try 5 times
Source: GitHub Commit Update
The security patch introduces URL parsing capabilities by importing the url and querystring modules, enabling the library to properly analyze redirect destinations and prevent sensitive header forwarding to cross-origin targets.
Detection Methods for CVE-2022-0654
Indicators of Compromise
- Unexpected outbound HTTP requests containing authorization headers to unknown or suspicious domains
- Authentication tokens appearing in logs of third-party services
- Session tokens being used from unexpected IP addresses or locations
- Anomalous network traffic patterns showing credential data in requests to non-application domains
Detection Strategies
- Implement dependency scanning using tools like npm audit or Snyk to identify vulnerable versions of node-request-retry in your codebase
- Monitor network traffic for HTTP requests that include Authorization or Cookie headers to unexpected external domains
- Review application logs for redirect chains that traverse multiple domains while carrying authentication headers
- Deploy SentinelOne Singularity platform to detect anomalous application behavior and credential leakage patterns
Monitoring Recommendations
- Configure web application firewalls to alert on sensitive header data in requests to non-whitelisted domains
- Implement egress filtering and logging to track outbound requests containing authentication headers
- Use SentinelOne's real-time behavioral analysis to identify applications exhibiting credential forwarding behavior
- Establish baseline network communication patterns to detect deviations indicating potential exploitation
How to Mitigate CVE-2022-0654
Immediate Actions Required
- Upgrade node-request-retry to version 7.0.0 or later immediately
- Audit all Node.js applications for usage of vulnerable versions using npm ls node-request-retry
- Review application logs for any evidence of credential leakage to third-party domains
- Rotate any authentication tokens or API keys that may have been exposed through vulnerable applications
Patch Information
The vulnerability has been addressed in commit 0979c6001d9d57c2aac3157c11b007397158922a. The fix introduces proper URL parsing to detect cross-origin redirects and prevents Cookie and Authorization headers from being forwarded when redirecting to different domains. Organizations should update to version 7.0.0 or later, which contains this security fix. For more information, refer to the GitHub Commit Update and the Huntr Bounty Listing.
Workarounds
- If immediate upgrade is not possible, implement application-level validation to strip sensitive headers before making requests that may result in redirects
- Configure network-level controls to block or alert on redirects to untrusted domains
- Use a reverse proxy or API gateway to sanitize outbound requests and prevent credential forwarding
# Update node-request-retry to patched version
npm update node-request-retry@^7.0.0
# Verify the installed version
npm ls node-request-retry
# Audit dependencies for known vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
