GHSA-R4Q5-VMMM-2653: Information Exposure via Sensitive Header Leak in follow-redirects

Vulnerability ID: GHSA-R4Q5-VMMM-2653
CVSS Score: 7.4
Published: 2026-04-14

The follow-redirects Node.js library contains an information exposure vulnerability where sensitive custom authentication headers are leaked to cross-domain redirect targets. A hardcoded regex blacklist failed to remove non-standard headers during cross-origin redirects or protocol downgrades.

TL;DR

The follow-redirects package leaks custom HTTP headers (such as X-API-Key) to third-party domains upon HTTP 302 redirects due to an incomplete header sanitization blacklist.

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Type: Information Exposure (Sensitive Header Leak)
• CWE ID: CWE-200
• CVSSv3 Score: 7.4
• Attack Vector: Network
• Privileges Required: None
• Affected Component: RedirectableRequest class
• Exploit Status: Proof of Concept available

Affected Systems

• follow-redirects (NPM)
• Node.js Applications
• axios (Transitive Dependency users)
• follow-redirects: < 1.15.6 (Fixed in: 1.15.6)

Code Analysis

Commit: 844c4d3

Introduced the sensitiveHeaders configuration option and dynamic regex generation to filter custom headers during cross-origin redirects.

Mitigation Strategies

• Dependency Upgrade
• Configuration Updates
• Redirect Disabling

Remediation Steps:

1. Update follow-redirects to version 1.15.6 or higher via the package manager.
2. Identify all custom HTTP headers used for authentication or authorization in the codebase.
3. Pass the identified headers into the sensitiveHeaders option array when constructing HTTP requests.
4. Review higher-level HTTP clients (like axios) for mechanisms to pass down the sensitiveHeaders configuration.

References

• GitHub Advisory: GHSA-R4Q5-VMMM-2653
• follow-redirects Patch Commit
• follow-redirects Repository

Read the full report for GHSA-R4Q5-VMMM-2653 on our website for more details including interactive diagrams and full exploit analysis.