CVE-2022-1650 Overview
CVE-2022-1650 is a critical vulnerability affecting the eventsource Node.js library prior to version 2.0.2. The vulnerability stems from improper removal of sensitive information before storage or transfer, specifically failing to strip sensitive HTTP headers when following redirects to a different origin. This information disclosure flaw can lead to credential leakage when an attacker controls a redirect destination.
Critical Impact
Sensitive authentication headers including authorization tokens and cookies can be exposed to malicious third-party servers when eventsource follows redirects across origins, potentially enabling full account takeover or unauthorized access to protected resources.
Affected Products
- eventsource for Node.js (versions prior to 2.0.2)
- Debian Linux 10.0
- Applications using vulnerable eventsource versions as a dependency
Discovery Timeline
- 2022-05-12 - CVE-2022-1650 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-1650
Vulnerability Analysis
This vulnerability is classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer). The eventsource library implements the EventSource interface for Server-Sent Events (SSE) in Node.js applications. When an SSE connection follows an HTTP redirect to a different origin, the library fails to sanitize sensitive headers from the outgoing request.
The vulnerability allows network-based exploitation requiring user interaction, where an attacker can intercept sensitive credentials by manipulating redirect destinations. The impact extends beyond the initial security context, potentially compromising confidentiality and integrity of data across multiple systems.
Root Cause
The root cause lies in the EventSource constructor within lib/eventsource.js. Prior to the fix, when the library followed HTTP redirects, it would preserve all custom headers—including authentication headers like Authorization and Cookie—regardless of whether the redirect destination was the same origin as the original request. This behavior violates security best practices for cross-origin requests, where sensitive credentials should never be transmitted to untrusted domains.
Attack Vector
An attacker can exploit this vulnerability through the following scenario:
- The victim's application establishes an EventSource connection to a legitimate server with authentication headers
- The attacker compromises or controls a server that can influence the redirect response
- When a redirect occurs pointing to an attacker-controlled server, the eventsource library forwards sensitive headers to the malicious destination
- The attacker captures authentication tokens, API keys, or session cookies from the misdirected request
**/
function EventSource (url, eventSourceInitDict) {
var readyState = EventSource.CONNECTING
+ var headers = eventSourceInitDict && eventSourceInitDict.headers
+ var hasNewOrigin = false
Object.defineProperty(this, 'readyState', {
get: function () {
return readyState
Source: GitHub Commit Update
The patch introduces origin tracking via the hasNewOrigin variable to detect cross-origin redirects and strip sensitive headers when the destination differs from the original request origin.
Detection Methods for CVE-2022-1650
Indicators of Compromise
- Outbound SSE connections redirecting to unexpected external domains
- Authorization or authentication headers appearing in network traffic to third-party servers
- Unusual cross-origin redirect patterns in application logs
- Authentication tokens or cookies being logged by external services
Detection Strategies
- Monitor npm dependency trees for eventsource versions below 2.0.2 using npm audit or similar tools
- Implement network-level monitoring for SSE connections that redirect across origins
- Review application logs for EventSource redirect chains involving external domains
- Deploy web application firewalls (WAF) rules to detect sensitive header leakage in cross-origin redirects
Monitoring Recommendations
- Enable verbose logging for EventSource connections in development and staging environments
- Set up alerts for dependency vulnerability reports affecting eventsource
- Monitor for anomalous authentication failures that could indicate credential theft
- Track outbound network connections from Node.js applications to unexpected destinations
How to Mitigate CVE-2022-1650
Immediate Actions Required
- Update eventsource to version 2.0.2 or later immediately using npm update eventsource
- Audit applications for direct and transitive dependencies on vulnerable eventsource versions
- Rotate any authentication credentials that may have been exposed through SSE connections
- Review network logs for potential past exploitation attempts
Patch Information
The security fix is available in eventsource version 2.0.2 and later. The patch, committed with hash 10ee0c4881a6ba2fe65ec18ed195ac35889583c4, introduces origin tracking to detect cross-origin redirects and properly strips sensitive headers before forwarding requests. Users should update using their package manager:
For detailed information about the vulnerability disclosure, see the Huntr Bounty Details. Debian users should refer to the Debian LTS Announcement for distribution-specific patches.
Workarounds
- Avoid using EventSource connections with sensitive headers when connecting to servers that may issue redirects
- Implement application-level validation of redirect destinations before allowing EventSource connections
- Configure network policies to prevent SSE connections from following redirects to untrusted domains
- Consider using alternative SSE implementations that properly handle cross-origin credential stripping
# Update eventsource to patched version
npm update eventsource
# Verify installed version
npm list eventsource
# Audit for other vulnerable dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
