You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We encountered the following security issues:
Affected versions of this package are vulnerable to Information Exposure due to the handling of the Proxy-Authorization header across hosts. When using a dependent library, it only clears the authorization header during cross-domain redirects but allows the proxy-authentication header, which contains credentials, to persist. This behavior may lead to the unintended leakage of credentials if an attacker can trigger a cross-domain redirect and capture the persistent proxy-authentication header.
When will a new version be released to address this security issue?
Axios Version
@1.6.5
The text was updated successfully, but these errors were encountered:
My first approach was to just delete Proxy-Authorization whenever we redirect:
functiondispatchBeforeRedirect(options,responseDetails){if(options.beforeRedirects.proxy){options.beforeRedirects.proxy(options);}if(options.beforeRedirects.config){options.beforeRedirects.config(options,responseDetails);}// Clear Proxy-Authorization header during cross-domain redirectsdeleteoptions.headers['Proxy-Authorization'];}
My second approach is to remove Proxy-Authorization from header, but then turn it into a veriable returned by options. The same way it is implemented for authorization:
Describe the issue
We encountered the following security issues:
Affected versions of this package are vulnerable to Information Exposure due to the handling of the Proxy-Authorization header across hosts. When using a dependent library, it only clears the authorization header during cross-domain redirects but allows the proxy-authentication header, which contains credentials, to persist. This behavior may lead to the unintended leakage of credentials if an attacker can trigger a cross-domain redirect and capture the persistent proxy-authentication header.
When will a new version be released to address this security issue?
Axios Version
@1.6.5
The text was updated successfully, but these errors were encountered: