CVE-2024-28849 Overview
CVE-2024-28849 is a credential leakage vulnerability in the follow-redirects Node.js package, an open source drop-in replacement for Node's http and https modules that automatically follows HTTP redirects. The vulnerability exists because the package fails to properly sanitize sensitive headers during cross-domain redirects, specifically retaining the Proxy-Authorization header while correctly clearing the standard Authorization header.
Critical Impact
Applications using follow-redirects may inadvertently leak proxy authentication credentials to malicious third-party servers during cross-domain redirects, potentially exposing internal network access or privileged credentials.
Affected Products
- follow-redirects versions prior to 1.15.6
- Node.js applications using vulnerable follow-redirects as a dependency
- Applications relying on proxy authentication through follow-redirects
Discovery Timeline
- 2024-03-14 - CVE-2024-28849 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2024-28849
Vulnerability Analysis
The follow-redirects package is designed to transparently handle HTTP redirects for Node.js applications, maintaining critical request properties across redirect chains. However, this implementation contained an oversight in its security header handling logic. While the code correctly identified and removed the Authorization and Cookie headers when following redirects to different domains, it failed to apply the same protection to the Proxy-Authorization header.
This inconsistency creates a significant security gap. When an application makes a request through a proxy that requires authentication, the Proxy-Authorization header contains credentials (typically in Base64-encoded format). If a malicious server responds with a redirect to a different domain, those proxy credentials would be sent along with the redirected request, exposing them to the attacker-controlled destination.
Root Cause
The root cause lies in an incomplete regular expression pattern used to identify security-sensitive headers that should be stripped during cross-domain redirects. The original implementation used the pattern /^(?:authorization|cookie)$/i which only matched authorization and cookie headers. The proxy-authorization header was not included in this pattern, allowing it to persist across redirect boundaries to different hosts.
Attack Vector
The attack can be executed remotely over the network. An attacker can exploit this vulnerability by:
- Setting up a malicious server that responds with HTTP redirect responses (301, 302, 303, 307, or 308)
- Tricking a vulnerable application into making a request that will be redirected to the attacker's server
- When the application follows the redirect, the Proxy-Authorization header is preserved and sent to the attacker's server
- The attacker captures the credentials from the incoming request headers
This requires low privileges to exploit and does not require user interaction, making it feasible in automated attack scenarios.
// Security patch showing the fix
// Source: https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
redirectUrl.protocol !== "https:" ||
redirectUrl.host !== currentHost &&
!isSubdomain(redirectUrl.host, currentHost)) {
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
}
// Evaluate the beforeRedirect callback
The fix updates the regular expression to include an optional proxy- prefix, ensuring both Authorization and Proxy-Authorization headers are removed during cross-domain redirects.
Detection Methods for CVE-2024-28849
Indicators of Compromise
- Unexpected outbound HTTP requests containing Proxy-Authorization headers to external domains
- Network traffic showing proxy credentials being transmitted to non-proxy destinations
- Log entries indicating redirects from internal services to external or untrusted domains
- Authentication failures on proxy servers suggesting credential compromise
Detection Strategies
- Implement network monitoring to detect Proxy-Authorization headers in traffic destined for non-proxy servers
- Use Software Composition Analysis (SCA) tools to identify follow-redirects versions prior to 1.15.6 in your dependency tree
- Monitor npm audit results for CVE-2024-28849 alerts in CI/CD pipelines
- Review application logs for unexpected redirect chains crossing domain boundaries
Monitoring Recommendations
- Enable verbose logging on proxy servers to track authentication attempts with potentially compromised credentials
- Implement egress filtering to monitor and alert on sensitive header leakage
- Set up dependency vulnerability scanning in development and production environments
- Configure network intrusion detection systems to flag Proxy-Authorization headers in non-proxy traffic
How to Mitigate CVE-2024-28849
Immediate Actions Required
- Upgrade follow-redirects to version 1.15.6 or later immediately
- Audit applications for direct and transitive dependencies on follow-redirects using npm ls follow-redirects
- Rotate any proxy authentication credentials that may have been exposed
- Review network logs for evidence of credential leakage to external domains
Patch Information
The vulnerability has been addressed in follow-redirects version 1.15.6. The fix modifies the header sanitization logic to include Proxy-Authorization in the list of sensitive headers that are removed during cross-domain redirects. Users should upgrade by running:
npm update follow-redirects
For detailed information about the fix, refer to the GitHub Security Advisory GHSA-cxjh-pqwp-8mfp and the security patch commit.
Workarounds
- There are no known workarounds for this vulnerability according to the vendor advisory
- As a temporary measure, consider implementing network-level egress filtering to prevent sensitive headers from leaving trusted network boundaries
- Review and restrict which applications are permitted to make external HTTP requests through authenticated proxies
- Consider implementing a proxy layer that strips sensitive headers before forwarding requests to external destinations
# Check for vulnerable follow-redirects versions in your project
npm ls follow-redirects
# Update to the patched version
npm update follow-redirects
# Verify the update was successful
npm ls follow-redirects | grep "1.15.6"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
