Security Vulnerability
A critical security vulnerability has been discovered in @microsoft/kiota-http-fetchlibrary affecting versions 1.0.0-preview.97 through 1.0.0-preview.101.
Bearer token leak across origin in RedirectHandler
The RedirectHandler's default scrubbing callback uses case-sensitive property deletion (delete headers.Authorization, delete headers.Cookie) on a headers object that has already been lower-cased. This causes the scrub to be a no-op, and any Bearer token or Cookie attached by the kiota SDK is forwarded to an attacker-controlled host across HTTP redirects.
Impact
- Bearer token leak: When an SDK calls a server that returns an HTTP redirect to a different host, the Authorization header is leaked to the redirect target
- Default middleware affected: This applies to the default middleware chain with no custom configuration
- All kiota-generated TypeScript SDKs affected: Any SDK using BaseBearerTokenAuthenticationProvider or other auth providers that set the Authorization header
- No user action required: The bug is in the default middleware chain
Affected Versions
- @microsoft/kiota-http-fetchlibrary >= 1.0.0-preview.97 and < 1.0.0-preview.102
Resolution
Update to @microsoft/kiota-http-fetchlibrary version 1.0.0-preview.102 or later.
Details
References
Security Vulnerability
A critical security vulnerability has been discovered in @microsoft/kiota-http-fetchlibrary affecting versions 1.0.0-preview.97 through 1.0.0-preview.101.
Issue: GHSA-396q-4vc8-28x9
Bearer token leak across origin in RedirectHandler
The RedirectHandler's default scrubbing callback uses case-sensitive property deletion (delete headers.Authorization, delete headers.Cookie) on a headers object that has already been lower-cased. This causes the scrub to be a no-op, and any Bearer token or Cookie attached by the kiota SDK is forwarded to an attacker-controlled host across HTTP redirects.
Impact
Affected Versions
Resolution
Update to @microsoft/kiota-http-fetchlibrary version 1.0.0-preview.102 or later.
Details
References