Vulnerabilities |
2 via 2 paths |
|---|---|
Dependencies |
72 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: @hapi/wreck
- Introduced through: seneca@3.38.0
Detailed paths
-
Introduced through: @seneca/doc@voxgig/seneca-doc › seneca@3.38.0 › @hapi/wreck@17.2.0
Overview
@hapi/wreck is a HTTP Client Utilities library.
Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to the improper origin validation in the cross-origin redirect handling. An attacker can obtain sensitive credential headers by crafting cross-port or cross-scheme redirects, enabling interception of bearer tokens, session cookies, or proxy credentials.
Workaround
This vulnerability can be mitigated by setting redirects: 0 and handling redirects manually with a strict origin check, or by using the beforeRedirect hook to inspect the redirect target and abort or strip sensitive headers before the follow-on request.
Remediation
Upgrade @hapi/wreck to version 18.1.2 or higher.
References
medium severity
- Vulnerable module: @hapi/wreck
- Introduced through: seneca@3.38.0
Detailed paths
-
Introduced through: @seneca/doc@voxgig/seneca-doc › seneca@3.38.0 › @hapi/wreck@17.2.0
Overview
@hapi/wreck is a HTTP Client Utilities library.
Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to leaking the sensitive Proxy-Authorization header across cross-hostname redirects. An attacker can obtain sensitive proxy credentials by inducing a redirect to a malicious host, which receives the unstripped Proxy-Authorization header.
Note:
This is only exploitable if redirect following is explicitly enabled by setting the redirects option to a positive integer.
Workaround
This vulnerability can be mitigated by leaving redirects at its default value (false), manually stripping the Proxy-Authorization header before issuing requests, or using the beforeRedirect hook to remove sensitive headers when redirecting to a different hostname.
Remediation
Upgrade @hapi/wreck to version 18.1.1 or higher.