AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects

Impact When redirect following is enabled followRedirecttrue, AsyncHttpClient forwards Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and...

EUVD-2021-14249

Malware in sbrugna...

EUVD-2008-0877

Malware in sbrugna...

EUVD-2024-1419

Malicious code in bioql PyPI...

PT-2025-38924

Name of the Vulnerable Software and Affected Versions PressPage Entertainment Inc Mavis HTTPS to HTTP Redirection versions through 1.4.3 Description A Cross-Site Request Forgery CSRF issue exists in PressPage Entertainment Inc Mavis HTTPS to HTTP Redirection, which also allows Stored Cross-Site...

CVE-2025-9086

A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target same hostname, but using clear text HTTP using the same cookie set 3. The same cookie name is set - but with just a slash as path path="/",. Since this site is not...

Out-of-bounds Read

Overview curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP. libcurl offers a myriad of...

Linux Distros Unpatched Vulnerability : CVE-2022-31043

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On making a request using the https...

Server-Side Request Forgery in Request

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect HTTP to HTTPS, or HTTPS to HTTP. NOTE: The request package is no longer supported by the maintain...

SUSE CVE-2010-1406

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, sends an https URL in the Referer header of an http request in certain circumstances involving https to http redirection, which allows remote HTTP servers to obtain potentially sensitive...

SUSE CVE-2012-2125

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack...

DEBIAN-CVE-2022-31043

Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This ...

PT-2022-3238 · Guzzle +1 · Guzzle +1

Name of the Vulnerable Software and Affected Versions: Guzzle versions prior to 6.5.7 Guzzle versions prior to 7.4.4 Description: The issue is related to the handling of Authorization headers in requests. When a request is made using the https scheme to a server that responds with a redirect to a...

SUSE-SU-2022:1819-1 Security update for python-requests

This update for python-requests fixes the following issues: - CVE-2018-18074: Fixed to prevent the package to send an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect. bsc1111622...

(Pwn2Own) Samsung Galaxy S21 Improper Error Handling Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Samsung Galaxy S21 phones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the handling of errors...

Moderate: Red Hat Security Advisory: python-virtualenv security update

An update for python-virtualenv is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerabili...

python-requests: Redirect from HTTPS to HTTP does not remove Authorization header

A credentials-exposure flaw was found in python-requests, where if a request with authentication is redirected 302 from an HTTPS endpoint to an HTTP endpoint on the same host, the Authorization header is not stripped and the credentials can be read in plain text. A man-in-the-middle attacker coul...

python-requests: Redirect from HTTPS to HTTP does not remove Authorization header

A credentials-exposure flaw was found in python-requests, where if a request with authentication is redirected 302 from an HTTPS endpoint to an HTTP endpoint on the same host, the Authorization header is not stripped and the credentials can be read in plain text. A man-in-the-middle attacker coul...

Insufficiently Protected Credentials in Requests

The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network...

CVE-2018-18074

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network...