Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to leaking the sensitive Proxy-Authorization header across cross-hostname redirects. An attacker can obtain sensitive proxy credentials by inducing a redirect to a malicious host, which receives the unstripped Proxy-Authorization header.
Note:
This is only exploitable if redirect following is explicitly enabled by setting the redirects option to a positive integer.
Workaround
This vulnerability can be mitigated by leaving redirects at its default value (false), manually stripping the Proxy-Authorization header before issuing requests, or using the beforeRedirect hook to remove sensitive headers when redirecting to a different hostname.