Skip to content

[GHSA-r4q5-vmmm-2653] follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets#7476

Closed
ljharb wants to merge 1 commit intoljharb/advisory-improvement-7476from
ljharb-GHSA-r4q5-vmmm-2653
Closed

[GHSA-r4q5-vmmm-2653] follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets#7476
ljharb wants to merge 1 commit intoljharb/advisory-improvement-7476from
ljharb-GHSA-r4q5-vmmm-2653

Conversation

@ljharb
Copy link
Copy Markdown

@ljharb ljharb commented Apr 21, 2026

Updates

  • Affected products

Comments
Empirical POC-based runtime testing confirms follow-redirects 0.0.1-0.0.5 do not leak custom sensitive headers on cross-host redirects - same mechanism as GHSA-74fj-2j2h-c42q. The sensitiveHeaders option the advisory describes is a late addition, but the underlying cross-host header-forwarding behavior the leak depends on is what determines applicability, and that behavior was introduced in 0.0.6.

@github
Copy link
Copy Markdown
Collaborator

github commented Apr 21, 2026

Hi there @RubenVerborgh! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings April 21, 2026 18:06
@github-actions github-actions Bot changed the base branch from main to ljharb/advisory-improvement-7476 April 21, 2026 18:07
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the affected version range for the follow-redirects advisory (GHSA-r4q5-vmmm-2653) to reflect that the vulnerable cross-host header-forwarding behavior begins at 0.0.6, aligning applicability with observed runtime behavior.

Changes:

  • Update the affected range “introduced” version from 0 to 0.0.6.
  • Bump the advisory modified timestamp accordingly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@RubenVerborgh
Copy link
Copy Markdown

RubenVerborgh commented Apr 21, 2026

Honestly, I don't know… v0.0.6 was over 10 years ago, and before I got involved. I just hope no one still runs 0.x.

@helixplant
Copy link
Copy Markdown

helixplant commented Apr 22, 2026

Hi @ljharb,
Thank you for taking the time to share this information. While we appreciate the effort, we’re not able to assist with these requests at this time. Please contact the respective assigning CNA or the affected repository maintainers for each advisory so they can validate the lower bound versioning information and make any necessary updates. This guidance also applies to the following PRs:

@helixplant helixplant closed this Apr 22, 2026
@github-actions github-actions Bot deleted the ljharb-GHSA-r4q5-vmmm-2653 branch April 22, 2026 23:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ljharb @github @RubenVerborgh @helixplant