amphp/http-client Header leakage on cross-domain redirects
Moderate severity
GitHub Reviewed
Published
May 15, 2024
to the GitHub Advisory Database
Description
Published to the GitHub Advisory Database
May 15, 2024
Reviewed
May 15, 2024
amphp/http-client has a security weakness that might leak sensitive request headers from the initial request to the redirected host on cross-domain redirects, which were not removed correctly.
Message::setHeaders
does not replace the entire set of headers, but only operates on the headers matching the given array keys.References