{"url":"http://public2.vulnerablecode.io/api/packages/18662?format=json","purl":"pkg:npm/follow-redirects@1.14.7","type":"npm","namespace":"","name":"follow-redirects","version":"1.14.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.16.0","latest_non_vulnerable_version":"1.16.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359822?format=json","vulnerability_id":"VCID-2mmm-s45q-hfd4","summary":"follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets\n## Summary\n\nWhen an HTTP request follows a cross-domain redirect (301/302/307/308), `follow-redirects` only strips `authorization`, `proxy-authorization`, and `cookie` headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., `X-API-Key`, `X-Auth-Token`, `Api-Key`, `Token`) is forwarded verbatim to the redirect target.\n\nSince `follow-redirects` is the redirect-handling dependency for **axios** (105K+ stars), this vulnerability affects the entire axios ecosystem.\n\n## Affected Code\n\n`index.js`, lines 469-476:\n\n```javascript\nif (redirectUrl.protocol !== currentUrlParts.protocol &&\n   redirectUrl.protocol !== \"https:\" ||\n   redirectUrl.host !== currentHost &&\n   !isSubdomain(redirectUrl.host, currentHost)) {\n  removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);\n}\n```\n\nThe regex only matches `authorization`, `proxy-authorization`, and `cookie`. Custom headers like `X-API-Key` are not matched.\n\n## Attack Scenario\n\n1. App uses axios with custom auth header: `headers: { 'X-API-Key': 'sk-live-secret123' }`\n2. Server returns `302 Location: https://evil.com/steal`\n3. follow-redirects sends `X-API-Key: sk-live-secret123` to `evil.com`\n4. Attacker captures the API key\n\n## Impact\n\nAny custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.\n\n## Suggested Fix\n\nAdd a `sensitiveHeaders` option that users can extend, or strip ALL non-standard headers on cross-domain redirect.\n\n## Disclosure\n\nSource code review, manually verified. Found 2026-03-20.","references":[{"reference_url":"https://github.com/follow-redirects/follow-redirects","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects"},{"reference_url":"https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9"},{"reference_url":"https://github.com/advisories/GHSA-r4q5-vmmm-2653","reference_id":"GHSA-r4q5-vmmm-2653","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r4q5-vmmm-2653"},{"reference_url":"https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653","reference_id":"GHSA-r4q5-vmmm-2653","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373694?format=json","purl":"pkg:npm/follow-redirects@1.16.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/follow-redirects@1.16.0"}],"aliases":["GHSA-r4q5-vmmm-2653"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2mmm-s45q-hfd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18973?format=json","vulnerability_id":"VCID-9rmp-5jhp-uqdy","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28849.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28849.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28849","reference_id":"","reference_type":"","scores":[{"value":"0.01077","scoring_system":"epss","scoring_elements":"0.78221","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28849"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/follow-redirects/follow-redirects","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066971","reference_id":"1066971","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066971"},{"reference_url":"https://github.com/psf/requests/issues/1885","reference_id":"1885","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:45:25Z/"}],"url":"https://github.com/psf/requests/issues/1885"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2269576","reference_id":"2269576","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2269576"},{"reference_url":"https://hackerone.com/reports/2390009","reference_id":"2390009","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:45:25Z/"}],"url":"https://hackerone.com/reports/2390009"},{"reference_url":"https://fetch.spec.whatwg.org/#authentication-entries","reference_id":"#authentication-entries","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:45:25Z/"}],"url":"https://fetch.spec.whatwg.org/#authentication-entries"},{"reference_url":"https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b","reference_id":"c4f847f85176991f95ab9c88af63b1294de8649b","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:45:25Z/"}],"url":"https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28849","reference_id":"CVE-2024-28849","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28849"},{"reference_url":"https://github.com/advisories/GHSA-cxjh-pqwp-8mfp","reference_id":"GHSA-cxjh-pqwp-8mfp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxjh-pqwp-8mfp"},{"reference_url":"https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp","reference_id":"GHSA-cxjh-pqwp-8mfp","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:45:25Z/"}],"url":"https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0041","reference_id":"RHSA-2024:0041","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0041"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1474","reference_id":"RHSA-2024:1474","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1474"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1946","reference_id":"RHSA-2024:1946","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1946"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3316","reference_id":"RHSA-2024:3316","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3316"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3550","reference_id":"RHSA-2024:3550","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3550"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3781","reference_id":"RHSA-2024:3781","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3781"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3868","reference_id":"RHSA-2024:3868","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3868"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3920","reference_id":"RHSA-2024:3920","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3920"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3989","reference_id":"RHSA-2024:3989","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3989"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4836","reference_id":"RHSA-2024:4836","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4836"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7164","reference_id":"RHSA-2024:7164","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7164"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8677","reference_id":"RHSA-2024:8677","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8677"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1609","reference_id":"RHSA-2025:1609","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1609"},{"reference_url":"https://usn.ubuntu.com/8217-1/","reference_id":"USN-8217-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8217-1/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/","reference_id":"VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:45:25Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29831?format=json","purl":"pkg:npm/follow-redirects@1.15.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mmm-s45q-hfd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/follow-redirects@1.15.6"}],"aliases":["CVE-2024-28849","GHSA-cxjh-pqwp-8mfp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9rmp-5jhp-uqdy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207976?format=json","vulnerability_id":"VCID-jckm-qh6f-qbby","summary":"Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-0536.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-0536.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0536","reference_id":"","reference_type":"","scores":[{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21461","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0536"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536"},{"reference_url":"https://github.com/follow-redirects/follow-redirects","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects"},{"reference_url":"https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"},{"reference_url":"https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2053259","reference_id":"2053259","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2053259"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0536","reference_id":"CVE-2022-0536","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0536"},{"reference_url":"https://github.com/advisories/GHSA-pw2r-vq6v-hr8c","reference_id":"GHSA-pw2r-vq6v-hr8c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pw2r-vq6v-hr8c"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1739","reference_id":"RHSA-2022:1739","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1739"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5483","reference_id":"RHSA-2022:5483","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5483"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6156","reference_id":"RHSA-2022:6156","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6156"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6835","reference_id":"RHSA-2022:6835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6835"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:21368","reference_id":"RHSA-2025:21368","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:21368"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:21378","reference_id":"RHSA-2025:21378","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:21378"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:21704","reference_id":"RHSA-2025:21704","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:21704"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22415","reference_id":"RHSA-2025:22415","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22415"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22416","reference_id":"RHSA-2025:22416","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22416"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22418","reference_id":"RHSA-2025:22418","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22418"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22420","reference_id":"RHSA-2025:22420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22420"},{"reference_url":"https://usn.ubuntu.com/8217-1/","reference_id":"USN-8217-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8217-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19166?format=json","purl":"pkg:npm/follow-redirects@1.14.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mmm-s45q-hfd4"},{"vulnerability":"VCID-9rmp-5jhp-uqdy"},{"vulnerability":"VCID-yyq3-9m73-nffv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/follow-redirects@1.14.8"}],"aliases":["CVE-2022-0536","GHSA-pw2r-vq6v-hr8c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jckm-qh6f-qbby"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/135969?format=json","vulnerability_id":"VCID-yyq3-9m73-nffv","summary":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26159.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26159.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26159","reference_id":"","reference_type":"","scores":[{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27322","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26159"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26159","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26159"},{"reference_url":"https://github.com/follow-redirects/follow-redirects","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects"},{"reference_url":"https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM"},{"reference_url":"https://security.netapp.com/advisory/ntap-20241108-0002","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20241108-0002"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059926","reference_id":"1059926","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059926"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2256413","reference_id":"2256413","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2256413"},{"reference_url":"https://github.com/follow-redirects/follow-redirects/issues/235","reference_id":"235","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T18:34:28Z/"}],"url":"https://github.com/follow-redirects/follow-redirects/issues/235"},{"reference_url":"https://github.com/follow-redirects/follow-redirects/pull/236","reference_id":"236","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T18:34:28Z/"}],"url":"https://github.com/follow-redirects/follow-redirects/pull/236"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26159","reference_id":"CVE-2023-26159","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26159"},{"reference_url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc","reference_id":"GHSA-jchw-25xp-jwwc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7198","reference_id":"RHSA-2023:7198","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7198"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0271","reference_id":"RHSA-2024:0271","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0271"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0720","reference_id":"RHSA-2024:0720","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0720"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0853","reference_id":"RHSA-2024:0853","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0853"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0998","reference_id":"RHSA-2024:0998","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0998"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1027","reference_id":"RHSA-2024:1027","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1027"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1383","reference_id":"RHSA-2024:1383","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1383"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1946","reference_id":"RHSA-2024:1946","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1946"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3314","reference_id":"RHSA-2024:3314","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3314"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3316","reference_id":"RHSA-2024:3316","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3316"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3989","reference_id":"RHSA-2024:3989","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3989"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1609","reference_id":"RHSA-2025:1609","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1609"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137","reference_id":"SNYK-JS-FOLLOWREDIRECTS-6141137","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T18:34:28Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137"},{"reference_url":"https://usn.ubuntu.com/8217-1/","reference_id":"USN-8217-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8217-1/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/","reference_id":"ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T18:34:28Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28233?format=json","purl":"pkg:npm/follow-redirects@1.15.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mmm-s45q-hfd4"},{"vulnerability":"VCID-9rmp-5jhp-uqdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/follow-redirects@1.15.4"}],"aliases":["CVE-2023-26159","GHSA-jchw-25xp-jwwc"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yyq3-9m73-nffv"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207320?format=json","vulnerability_id":"VCID-77ua-pc1n-2ucj","summary":"Exposure of sensitive information in follow-redirects","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-0155.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-0155.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0155","reference_id":"","reference_type":"","scores":[{"value":"0.01302","scoring_system":"epss","scoring_elements":"0.80169","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0155"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0155","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0155"},{"reference_url":"https://github.com/follow-redirects/follow-redirects","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects"},{"reference_url":"https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22"},{"reference_url":"https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2044556","reference_id":"2044556","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2044556"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0155","reference_id":"CVE-2022-0155","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0155"},{"reference_url":"https://github.com/advisories/GHSA-74fj-2j2h-c42q","reference_id":"GHSA-74fj-2j2h-c42q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-74fj-2j2h-c42q"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8502","reference_id":"RHSA-2022:8502","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8502"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:21368","reference_id":"RHSA-2025:21368","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:21368"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:21378","reference_id":"RHSA-2025:21378","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:21378"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:21704","reference_id":"RHSA-2025:21704","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:21704"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22415","reference_id":"RHSA-2025:22415","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22415"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22416","reference_id":"RHSA-2025:22416","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22416"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22418","reference_id":"RHSA-2025:22418","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22418"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22420","reference_id":"RHSA-2025:22420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22420"},{"reference_url":"https://usn.ubuntu.com/8217-1/","reference_id":"USN-8217-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8217-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18662?format=json","purl":"pkg:npm/follow-redirects@1.14.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mmm-s45q-hfd4"},{"vulnerability":"VCID-9rmp-5jhp-uqdy"},{"vulnerability":"VCID-jckm-qh6f-qbby"},{"vulnerability":"VCID-yyq3-9m73-nffv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/follow-redirects@1.14.7"}],"aliases":["CVE-2022-0155","GHSA-74fj-2j2h-c42q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-77ua-pc1n-2ucj"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/follow-redirects@1.14.7"}