CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
10.3%
follow-redirects is vulnerable to Credential Leakage. The vulnerability is due to insufficient redaction of the proxy-authentication header when handing requests. If an attacker can trigger a cross domain redirect, they can capture the request header containing the sensitive proxy-auth header, resulting in the leakage of credentials.
fetch.spec.whatwg.org/#authentication-entries
github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
github.com/psf/requests/issues/1885
hackerone.com/reports/2390009
lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/