When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
CPE | Name | Operator | Version |
---|---|---|---|
cross-fetch | lt | 3.1.5 | |
cross-fetch | ge | 3.0.0 | |
cross-fetch | lt | 2.2.6 |