CVE-2022-24719

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing. The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin. A workaround has been identified by using a custom redirection strategy via the `followRedirectsWith` function. The custom strategy can be based on the new strategies available in fluture-node@4.0.2.

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing. The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin. A workaround has been identified by using a custom redirection strategy via the `followRedirectsWith` function. The custom strategy can be based on the new strategies available in fluture-node@4.0.2.

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing. The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin. A workaround has been identified by using a custom redirection strategy via the `followRedirectsWith` function. The custom strategy can be based on the new strategies available in fluture-node@4.0.2.

### Impact Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing. ### Patches The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin. ### Workarounds Use a custom redirection strategy via the `followRedirectsWith` function. The custom strategy can be based on the new strategies available in fluture-node@4.0.2. ### References - This vulnerability was discovered after the announcement of similar vulnerabilities in the `follow-redirects` package. There is more information there: https://github.com/advisories/GHSA-74fj-2j2h-c42q and https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db/ - Fixed in 125e4474f910c1507f8ec3232848626fbc0f55c4 and 0c99bc511533d48be17dc6bfe641f7d0aeb34d77

Fluture-Node es una utilidad HTTP y de streaming de estilo FP para Node basada en Fluture. Usando "followRedirects" o "followRedirectsWith" con cualquiera de las estrategias de redireccionamiento incorporadas en fluture-node versiones 4.0.0 o 4.0. 1, junto con una petición que incluya encabezados confidenciales como Authorization o Cookie, le expone a una vulnerabilidad en la que, si el servidor de destino redirigiera la petición a un servidor en un dominio de terceros, o al mismo dominio a través de HTTP sin cifrar, los encabezados podrían ser incluidos en la petición de seguimiento y quedarían expuestas a terceros, o a un potencial husmeo del tráfico http. Las estrategias de redireccionamiento disponibles en la versión 4.0.2 redactan automáticamente los encabezados confidenciales cuando es seguido un redireccionamiento a otro origen. Se ha identificado una medida de mitigación mediante el uso de una estrategia de redireccionamiento personalizada por medio de la función "followRedirectsWith". La estrategia personalizada puede basarse en las nuevas estrategias disponibles en fluture-node@4.0.2.