MEDIUM · CVSS 6.5
CVE-2024-28849 — Follow-Redirects credential forwarding
follow-redirects forwarded the Authorization header to cross-origin redirects, leaking credentials to attacker-controlled hosts during ordinary HTTP client use (including via Axios).
Affects
- follow-redirects < 1.15.6
What an attacker does
An attacker controls a target URL your backend calls. They redirect the request to their domain. follow-redirects preserved the Authorization header through the redirect, delivering the bearer token to the attacker.
How to detect
Check lockfile for follow-redirects < 1.15.6. Check axios < 1.6.8 which depended on it.
How to fix
Upgrade follow-redirects to 1.15.6+. Upgrade axios to 1.6.8+.
How Securie catches it
Securie's dependency graph flags transitive exposure — your app may not import follow-redirects directly but still pull it via axios.