CVE-2025-59350 Timing attacks against Proxy’s basic authentication are possible

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time...

CVE-2025-59350 Timing attacks against Proxy’s basic authentication are possible

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time...

net/http: Sensitive headers not cleared on cross-origin redirect in net/http

A flaw was found in net/http. Handling Proxy-Authorization and Proxy-Authenticate headers during cross-origin redirects allows these headers to be inadvertently forwarded, potentially exposing sensitive authentication credentials. This flaw allows a network-based attacker to manipulate redirect...

net/http: Sensitive headers not cleared on cross-origin redirect in net/http

A flaw was found in net/http. Handling Proxy-Authorization and Proxy-Authenticate headers during cross-origin redirects allows these headers to be inadvertently forwarded, potentially exposing sensitive authentication credentials. This flaw allows a network-based attacker to manipulate redirect...

OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

Impact This vulnerability affects oauth2-proxy deployments using the skipauthroutes configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining...

Medium: oci-add-hooks

Issue Overview: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. CVE-2025-4673 Affected Packages: oci-add-hooks Note: This advisory is applicable to Amazon Linux 2 - Docker Extra. Visit this page to learn more about...

OESA-2025-1742 golang security update

. Security Fixes: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.CVE-2025-4673...

TencentOS Server 3: mod_auth_mellon (TSSA-2022:0100)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0100 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

DEBIAN-CVE-2025-4673

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information...

AZL-63716 CVE-2025-4673 affecting package golang for versions less than 1.18.8-9

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information...

Google Go 安全漏洞

Google Go is a static strongly typed, compiled, concatenated, and garbage-collected programming language from Google USA. A security vulnerability exists in Google Go that stems from Proxy-Authorization and Proxy-Authenticate header persistence, which could lead to the disclosure of sensitive...

Astra Linux - уязвимость в node-undici

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known...

PT-2025-6250 · Concorde · Concorde

Name of the Vulnerable Software and Affected Versions: Concorde versions prior to 12.25Q1.1 Description: The issue arises from a lack of CSRF countermeasures and improper settings of cookies for MediaProxy authentication, allowing an attacker to bypass MediaProxy authentication. This enables the...

The vulnerability of the 1C-Bitrix website content management system, related to insufficient protection of registration data, allows a hacker to gain access to authentication data from the proxy server.

The vulnerability of the 1C-Bitrix website content management system CMS is related to insufficient protection of registration data, allowing attackers to gain access to authentication data from the proxy server...

Security Bulletin: Vulnerability in Node.js affects IBM watsonx.data

Summary Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this...

CLSA-2024-1723795173 wget: Fix of CVE-2024-38428

CVE-2024-38428: properly re-implement userinfo parsing rfc2396 - Fix wget Test-proxied-https-auth.px and Test-proxied-https-auth.px tests failing - Providing wget -O and -q parameters while running in background generates a wget-log file...

follow-redirects: Possible credential leak

A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, follow-redirects clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a...

follow-redirects: Possible credential leak

A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, follow-redirects clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a...

The vulnerability in the HTTP/1.1 client of the Node.js software platform arises from insufficient protection of service data due to improper cleaning of Proxy-Authentication headers. This allows attackers to enhance their privileges.

The vulnerability of the HTTP/1.1 Undici software platform for Node.js is related to insufficient protection of service data due to improper cleaning of Proxy-Authentication headers. Exploiting this vulnerability can allow a remote attacker to increase their privileges...

Medium: nodejs

Issue Overview: NOTE: https://nodejs.org/en/blog/release/v18.19.1 NOTE: https://github.com/nodejs/node/commit/f31d47e135973746c4f490d5eb635eded8bb3dda v18.x NOTE: https://github.com/nodejs/node/commit/9052ef43dc2d1b0db340591a9bc9e45a25c01d90 main CVE-2024-22025 Undici is an HTTP/1.1 client, writt...