Lucene search
K

534 matches found

OSV
OSV
added 2026/06/04 2:15 p.m.6 views

GHSA-J5F8-GRM9-P9FC Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Summary Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that...

7.5CVSS5.9AI score0.00552EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.34 views

PT-2026-46301

Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.32.0 Axios versions prior to 1.16.0 Description The Node.js HTTP adapter in Axios may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This occurs when an...

8.2CVSS5.5AI score0.00689EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/05/29 3:51 p.m.15 views

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

5.3CVSS5.8AI score0.00228EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/05/29 3:51 p.m.8 views

Prototype Pollution

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the setProxy function. An attacker can inject arbitrary credentials into the Proxy-Authorization header of proxied HTTP requests b...

9.1CVSS6.4AI score0.00549EPSS
Exploits2References3
OSV
OSV
added 2026/05/29 3:51 p.m.12 views

GHSA-654M-C8P4-X5FP Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

3.7CVSS5.8AI score0.00228EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.11 views

PT-2026-44909

Name of the Vulnerable Software and Affected Versions Axios versions 1.15.2 through 1.15.9 Description Nested objects created by the merge function in utils.js are constructed as plain objects, meaning they retain Object.prototype in their prototype chain. The setProxy function in...

5.3CVSS5.5AI score0.00228EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2026/05/27 12:38 a.m.16 views

@hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects

Impact When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the...

4.3CVSS6.8AI score0.00734EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/27 12:38 a.m.9 views

GHSA-VHJM-W67Q-G75C @hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects

Impact When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the...

6.3CVSS5.8AI score0.00054EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/27 12:38 a.m.16 views

Insufficiently Protected Credentials

Overview @hapi/wreck is a HTTP Client Utilities library. Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to leaking the sensitive Proxy-Authorization header across cross-hostname redirects. An attacker can obtain sensitive proxy credentials by inducing...

6.3CVSS5.8AI score0.00054EPSS
Exploits0References2
OSV
OSV
added 2026/05/19 2:46 a.m.18 views

MGASA-2026-0150 Updated perl-libwww-perl & perl-HTTP-Message packages fix security vulnerabilities

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects...

6.5CVSS5.8AI score0.00266EPSS
Exploits0References3
Microsoft CVE
Microsoft CVE
added 2026/05/17 8:1 a.m.10 views

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects

...

6.5CVSS5.8AI score0.00266EPSS
Exploits0
NVD
NVD
added 2026/05/14 4:16 p.m.54 views

CVE-2026-44503

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS0.00505EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 3:58 p.m.85 views

CVE-2026-44503 Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS0.00505EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/14 3:58 p.m.7 views

CVE-2026-44503 Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS5.8AI score0.00505EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/14 3:58 p.m.5 views

CVE-2026-44503

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS5.8AI score0.00505EPSS
Exploits0References2Affected Software6
CVE
CVE
added 2026/05/14 3:58 p.m.50 views

CVE-2026-44503

CVE-2026-44503 affects the RedirectHandler in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0, and similar Kiota libraries). The root cause is that when following 3xx redirects to a different host or scheme, only the Authorization header is removed; Cookie, Proxy-Auth...

7CVSS5.8AI score0.00505EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/05/13 2:25 p.m.11 views

SUSE CVE-2026-8368

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are se...

5.3CVSS5.8AI score0.00266EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/13 11:15 a.m.17 views

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack in the Proxy-Authorization: header handling process. An attacker can gain unauthorized access to resources or sensitive information by leveraging a scenario where authentication credentials intended for one proxy are...

8.2CVSS5.8AI score0.00471EPSS
Exploits1References2
Debian CVE
Debian CVE
added 2026/05/13 8:29 a.m.6 views

CVE-2026-7168

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

5.3CVSS5.8AI score0.00471EPSS
Exploits1
NVD
NVD
added 2026/05/12 3:16 p.m.15 views

CVE-2026-8368

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are se...

6.5CVSS0.00266EPSS
Exploits0References5
Rows per page
Query Builder