GHSA-cxjh-pqwp-8mfp · Severity: medium · Ecosystem: npm — follow-redirects' Proxy-Authorization header kept across hosts
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Conclusion & alert: CVE-2024-28849 is rated High Exploit Risk (61.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.04%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.11% | 1.04% | -0.06% |
| 2 | 2026-05-23 | 0.92% | 1.11% | +0.19% |
| 3 | 2026-05-22 | — | 0.92% | — |
Full EPSS history (18 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
GHSA-cxjh-pqwp-8mfp · Severity: medium · Ecosystem: npm — follow-redirects' Proxy-Authorization header kept across hosts
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-28849 not yet assigned priority: Debian including 1 source packages (node-follow-redirects), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2. | https://security-tracker.debian.org/tracker/CVE-2024-28849 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2024-28849 |
suse
|
medium | CVE-2024-28849 severity moderate: SUSE including 54 source package names (corepack18, corepack20, …), 328 product×package rows across 39 product lines (SUSE Enterprise Storage 7.1, SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS, … (39 product lines)): Known Not Affected 252, Will Not Fix 65, Fixed 11. | https://www.suse.com/security/cve/CVE-2024-28849/ |
ubuntu
|
medium | CVE-2024-28849 medium priority: Ubuntu including 1 source packages (node-follow-redirects), 9 status rows across 9 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, questing, upstream): needs-triage 6, ignored 3. | https://ubuntu.com/security/CVE-2024-28849 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| follow-redirects_project | follow-redirects | < 1.15.6 | cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:* |
| URL | Tags |
|---|---|
| https://fetch.spec.whatwg.org/#authentication-entries | Technical Description |
| https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b | Patch |
| https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp | Exploit Vendor Advisory |
| https://github.com/psf/requests/issues/1885 | Issue Tracking |
| https://hackerone.com/reports/2390009 | Issue Tracking Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/ | Mailing List Third Party Advisory |