Skip to content

chore(deps): update dependency follow-redirects to v1.16.0 [security]#328

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-follow-redirects-vulnerability
Apr 16, 2026
Merged

chore(deps): update dependency follow-redirects to v1.16.0 [security]#328
renovate[bot] merged 1 commit intomainfrom
renovate/npm-follow-redirects-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate bot commented Apr 16, 2026

This PR contains the following updates:

Package Change Age Confidence
follow-redirects 1.15.111.16.0 age confidence

GitHub Vulnerability Alerts

GHSA-r4q5-vmmm-2653

Summary

When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.

Since follow-redirects is the redirect-handling dependency for axios (105K+ stars), this vulnerability affects the entire axios ecosystem.

Affected Code

index.js, lines 469-476:

if (redirectUrl.protocol !== currentUrlParts.protocol &&
   redirectUrl.protocol !== "https:" ||
   redirectUrl.host !== currentHost &&
   !isSubdomain(redirectUrl.host, currentHost)) {
  removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
}

The regex only matches authorization, proxy-authorization, and cookie. Custom headers like X-API-Key are not matched.

Attack Scenario

  1. App uses axios with custom auth header: headers: { 'X-API-Key': 'sk-live-secret123' }
  2. Server returns 302 Location: https://evil.com/steal
  3. follow-redirects sends X-API-Key: sk-live-secret123 to evil.com
  4. Attacker captures the API key

Impact

Any custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.

Suggested Fix

Add a sensitiveHeaders option that users can extend, or strip ALL non-standard headers on cross-domain redirect.

Disclosure

Source code review, manually verified. Found 2026-03-20.

Severity
  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Release Notes

follow-redirects/follow-redirects (follow-redirects)

v1.16.0

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
hliquity-frontend Ready Ready Preview, Comment Apr 16, 2026 8:51am

Request Review

@renovate renovate bot merged commit ee4887a into main Apr 16, 2026
10 checks passed
@renovate renovate bot deleted the renovate/npm-follow-redirects-vulnerability branch April 16, 2026 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants