CVE-2026-49853
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
描述
## Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect target changes origin. As a result, credentials intended for one origin can be forwarded to a different origin when follow_redirects=True, which is the default. Beginning in Tornado 6.5.6, `SimpleAsyncHTTPClient` matches the default behavior of `libcurl` (and therefore `CurlAsyncHTTPClient`): When a redirect changes the scheme, host, or port of the url, the `Authorization` and `Cookie` headers will be removed when following the redirect.
如何修補 CVE-2026-49853
要修補 CVE-2026-49853,請將受影響套件升級到下列已修補版本。
- —升級至 6.5.6 或更新版本
CVE-2026-49853 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-49853 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 6.5.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |