CVE-2025-21620

HIGH7.5EPSS 0.26%

fetch: Authorization headers not dropped when redirecting cross-origin

Published: 1/6/2025Modified: 1/7/2025

Description

### Summary When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Deno's`fetch()` redirect handling creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain. ### Details The [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario. The same is generally applied to `Cookie` and `Proxy-Authorization` headers, and is done for not only host changes, but also protocol/port changes. Generally referred to as "origin". The [documentation](https://docs.deno.com/runtime/reference/web_platform_apis/#:~:text=Deno%20does%20not%20follow%20the,leaking%20authenticated%20data%20cross%20origin.) states: > Deno does not follow the same-origin policy, because the Deno user agent currently does not have the concept of origins, and it does not have a cookie jar. This means Deno **does not need** to protect against leaking authenticated data cross origin ### Reproduction ```ts const ac = new AbortController() const server1 = Deno.serve({ port: 3001, signal: ac.signal }, (req) => { return new Response(null, { status: 302, headers: { 'location': 'http://localhost:3002/redirected' }, }) }) const server2 = Deno.serve({ port: 3002, signal: ac.signal }, (req) => { const body = JSON.stringify({ url: req.url, hasAuth: req.headers.has('authorization'), }) return new Response(body, { status: 200, headers: {'content-type': 'application/json'}, }) }) async function main() { const response = await fetch("http://localhost:3001/", { headers: {authorization: 'Bearer foo'} }) const body = await response.json() ac.abort() if (body.hasAuth) { console.error('ERROR: Authorization header should not be present after cross-origin redirect') } else { console.log('SUCCESS: Authorization header is not present after cross-origin redirect') } } setTimeout(main, 500) ```

Affected packages (2)

crates.io/denofrom 0, <= 1.46.3
crates.io/deno_fetch>= 0.0.1, < 0.204.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Affected packages (2)

CVSS scores

References (3)