Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unauthorized forwarding of confidential headers in fluture-node
Vulnerability Description
Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing. The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin. A workaround has been identified by using a custom redirection strategy via the `followRedirectsWith` function. The custom strategy can be based on the new strategies available in fluture-node@4.0.2.
CVSS Information
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
侵犯隐私
Vulnerability Title
Fluture Node 输入验证错误漏洞
Vulnerability Description
Fluture Node是一个基于 Fluture 的 Fp 风格的 Http 和流式处理工具。 Fluture Node 存在安全漏洞,该漏洞源于如果目标服务器将请求重定向到第三方域名服务器,如果在未加密的HTTP上使用相同的域,则报头将包含在后续请求中,并向第三方公开,或潜在的HTTP流量嗅探。
CVSS Information
N/A
Vulnerability Type
N/A