Vulnerability Details
GHSA-396q-4vc8-28x9 in @microsoft/kiota-http-fetchlibrary: Bearer token leak across origin on HTTP redirects.
Issue
The RedirectHandler has a case-sensitivity bug in its defaultScrubSensitiveHeaders callback. Headers are normalized to lowercase in FetchRequestAdapter.getRequestFromRequestInformation, but the scrub callback attempts to delete using case-sensitive property names (Authorization, Cookie). This causes sensitive headers to be forwarded to attacker-controlled hosts across 30x redirects.
Impact
- Bearer token leak when redirected to different host
- Session cookie leak across origin
- Affects all kiota-generated TypeScript SDKs using default middleware chain
- No user interaction required; default configuration is vulnerable
Resolution
Update @microsoft/kiota-http-fetchlibrary to version 1.0.0-preview.102 or later, which contains the fix for this vulnerability.
References
Vulnerability Details
GHSA-396q-4vc8-28x9 in @microsoft/kiota-http-fetchlibrary: Bearer token leak across origin on HTTP redirects.
Issue
The
RedirectHandlerhas a case-sensitivity bug in itsdefaultScrubSensitiveHeaderscallback. Headers are normalized to lowercase inFetchRequestAdapter.getRequestFromRequestInformation, but the scrub callback attempts to delete using case-sensitive property names (Authorization,Cookie). This causes sensitive headers to be forwarded to attacker-controlled hosts across 30x redirects.Impact
Resolution
Update @microsoft/kiota-http-fetchlibrary to version 1.0.0-preview.102 or later, which contains the fix for this vulnerability.
References