cvelistv5 - CVE-2025-21620

CVE-2025-21620 (GCVE-0-2025-21620)

Vulnerability from cvelistv5 – Published: 2025-01-06 22:26 – Updated: 2025-01-07 16:49

Title

Deno's authorization headers not dropped when redirecting cross-origin

Summary

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

https://github.com/denoland/deno/security/advisor…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	denoland	deno	Affected: < 2.1.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-21620",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-07T16:48:58.089267Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-07T16:49:19.307Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "deno",
          "vendor": "denoland",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno\u0027sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-06T22:26:40.723Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6"
        }
      ],
      "source": {
        "advisory": "GHSA-f27p-cmv8-xhm6",
        "discovery": "UNKNOWN"
      },
      "title": "Deno\u0027s authorization headers not dropped when redirecting cross-origin"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-21620",
    "datePublished": "2025-01-06T22:26:40.723Z",
    "dateReserved": "2024-12-29T03:00:24.714Z",
    "dateUpdated": "2025-01-07T16:49:19.307Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno\u0027sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.\"}, {\"lang\": \"es\", \"value\": \"Deno es un entorno de ejecuci\\u00f3n de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. Cuando env\\u00eda una solicitud con el encabezado Authorization a un dominio y la respuesta solicita redirigir a un dominio diferente, la gesti\\u00f3n de redireccionamiento fetch() de Deno gestiona una solicitud de redireccionamiento de seguimiento que conserva el encabezado Authorization original y filtra su contenido a ese segundo dominio. Esta vulnerabilidad se corrigi\\u00f3 en 2.1.2.\"}]",
      "id": "CVE-2025-21620",
      "lastModified": "2025-01-06T23:15:07.770",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2025-01-06T23:15:07.770",
      "references": "[{\"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21620\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-01-06T23:15:07.770\",\"lastModified\":\"2025-01-06T23:15:07.770\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno\u0027sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.\"},{\"lang\":\"es\",\"value\":\"Deno es un entorno de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. Cuando env\u00eda una solicitud con el encabezado Authorization a un dominio y la respuesta solicita redirigir a un dominio diferente, la gesti\u00f3n de redireccionamiento fetch() de Deno gestiona una solicitud de redireccionamiento de seguimiento que conserva el encabezado Authorization original y filtra su contenido a ese segundo dominio. Esta vulnerabilidad se corrigi\u00f3 en 2.1.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21620\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-07T16:48:58.089267Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-07T16:49:13.504Z\"}}], \"cna\": {\"title\": \"Deno\u0027s authorization headers not dropped when redirecting cross-origin\", \"source\": {\"advisory\": \"GHSA-f27p-cmv8-xhm6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"denoland\", \"product\": \"deno\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.1.2\"}]}], \"references\": [{\"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6\", \"name\": \"https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno\u0027sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-06T22:26:40.723Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21620\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-07T16:49:19.307Z\", \"dateReserved\": \"2024-12-29T03:00:24.714Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-01-06T22:26:40.723Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-F27P-CMV8-XHM6

Vulnerability from github – Published: 2025-01-06 22:27 – Updated: 2025-01-07 02:52

Summary

fetch: Authorization headers not dropped when redirecting cross-origin

Details

Summary

When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain.

Details

The right behavior would be to drop the Authorization header instead, in this scenario. The same is generally applied to Cookie and Proxy-Authorization headers, and is done for not only host changes, but also protocol/port changes. Generally referred to as "origin".

The documentation states:

Deno does not follow the same-origin policy, because the Deno user agent currently does not have the concept of origins, and it does not have a cookie jar. This means Deno does not need to protect against leaking authenticated data cross origin

Reproduction

const ac = new AbortController()

const server1 = Deno.serve({ port: 3001, signal: ac.signal }, (req) => {
  return new Response(null, {
    status: 302,
    headers: {
      'location': 'http://localhost:3002/redirected'
    },
  })
})

const server2 = Deno.serve({ port: 3002, signal: ac.signal }, (req) => {
  const body = JSON.stringify({
    url: req.url,
    hasAuth: req.headers.has('authorization'),
  })
  return new Response(body, {
    status: 200,
    headers: {'content-type': 'application/json'},
  })
})

async function main() {
  const response = await fetch("http://localhost:3001/", {
    headers: {authorization: 'Bearer foo'}
  })
  const body = await response.json()

  ac.abort()

  if (body.hasAuth) {
    console.error('ERROR: Authorization header should not be present after cross-origin redirect')
  } else {
    console.log('SUCCESS: Authorization header is not present after cross-origin redirect')
  }
}

setTimeout(main, 500)

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno_fetch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.1"
            },
            {
              "fixed": "0.204.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.46.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-21620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-06T22:27:09Z",
    "nvd_published_at": "2025-01-06T23:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Deno\u0027s`fetch()` redirect handling creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain.\n\n\n### Details\n\nThe [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario. The same is generally applied to `Cookie` and `Proxy-Authorization` headers, and is done for not only host changes, but also protocol/port changes. Generally referred to as \"origin\".\n\nThe [documentation](https://docs.deno.com/runtime/reference/web_platform_apis/#:~:text=Deno%20does%20not%20follow%20the,leaking%20authenticated%20data%20cross%20origin.) states: \n\u003e Deno does not follow the same-origin policy, because the Deno user agent currently does not have the concept of origins, and it does not have a cookie jar. This means Deno **does not need** to protect against leaking authenticated data cross origin \n\n### Reproduction\n```ts\nconst ac = new AbortController()\n\nconst server1 = Deno.serve({ port: 3001, signal: ac.signal }, (req) =\u003e {\n  return new Response(null, {\n    status: 302,\n    headers: {\n      \u0027location\u0027: \u0027http://localhost:3002/redirected\u0027\n    },\n  })\n})\n\nconst server2 = Deno.serve({ port: 3002, signal: ac.signal }, (req) =\u003e {\n  const body = JSON.stringify({\n    url: req.url,\n    hasAuth: req.headers.has(\u0027authorization\u0027),\n  })\n  return new Response(body, {\n    status: 200,\n    headers: {\u0027content-type\u0027: \u0027application/json\u0027},\n  })\n})\n\nasync function main() {\n  const response = await fetch(\"http://localhost:3001/\", {\n    headers: {authorization: \u0027Bearer foo\u0027}\n  })\n  const body = await response.json()\n  \n  ac.abort()\n  \n  if (body.hasAuth) {\n    console.error(\u0027ERROR: Authorization header should not be present after cross-origin redirect\u0027)\n  } else {\n    console.log(\u0027SUCCESS: Authorization header is not present after cross-origin redirect\u0027)\n  }\n}\n\nsetTimeout(main, 500)\n```\n",
  "id": "GHSA-f27p-cmv8-xhm6",
  "modified": "2025-01-07T02:52:55Z",
  "published": "2025-01-06T22:27:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21620"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fetch: Authorization headers not dropped when redirecting cross-origin"
}

FKIE_CVE-2025-21620

Vulnerability from fkie_nvd - Published: 2025-01-06 23:15 - Updated: 2025-01-06 23:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno\u0027sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2."
    },
    {
      "lang": "es",
      "value": "Deno es un entorno de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. Cuando env\u00eda una solicitud con el encabezado Authorization a un dominio y la respuesta solicita redirigir a un dominio diferente, la gesti\u00f3n de redireccionamiento fetch() de Deno gestiona una solicitud de redireccionamiento de seguimiento que conserva el encabezado Authorization original y filtra su contenido a ese segundo dominio. Esta vulnerabilidad se corrigi\u00f3 en 2.1.2."
    }
  ],
  "id": "CVE-2025-21620",
  "lastModified": "2025-01-06T23:15:07.770",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-06T23:15:07.770",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-21620 (GCVE-0-2025-21620)

GHSA-F27P-CMV8-XHM6

Summary

Details

Reproduction

FKIE_CVE-2025-21620

Tags

Sightings

Nomenclature