📄 Description (English)
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
🤖 AI Executive Summary
follow-redirects versions prior to 1.16.0 leak custom authentication headers (X-API-Key, X-Auth-Token, etc.) during cross-domain HTTP redirects, exposing API credentials to untrusted domains. This affects Node.js applications using the library for HTTP requests. The vulnerability has a CVSS score of 7.5 and poses significant risk to organizations relying on API-based integrations for critical services.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 2, 2026 14:23
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in banking (SAMA-regulated institutions), fintech platforms, government digital services (NCA oversight), healthcare systems, and energy sector (ARAMCO, SEC) are at high risk. API-based integrations for payment processing, data exchange, and service delivery could expose authentication credentials to attackers. Telecom operators (STC, Mobily) using follow-redirects for API communications face credential compromise risks. Government agencies relying on Node.js microservices for citizen services are particularly vulnerable.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Insurance
Education
🎯 MITRE ATT&CK Techniques
T1598 - Phishing: Spearphishing Link (credential harvesting via redirect)
T1187 - Forced Authentication (credential exposure via redirect)
T1040 - Traffic Redirection/Man-in-the-Middle (credential interception)
T1528 - Steal Application Access Token (API key/token theft)
T1110 - Brute Force (using exposed credentials)
T1021 - Remote Services (lateral movement with exposed credentials)
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all Node.js applications using follow-redirects library across your infrastructure
2. Identify custom authentication headers used in HTTP requests (X-API-Key, X-Auth-Token, Api-Key, Token, Authorization-Custom, etc.)
3. Review application logs for cross-domain redirects (301/302/307/308 responses) to identify potential credential exposure
4. Rotate all API keys, authentication tokens, and custom credentials that may have been exposed
5. Implement network monitoring to detect suspicious API usage from exposed credentials
PATCHING GUIDANCE:
1. Upgrade follow-redirects to version 1.16.0 or later immediately
2. Update package.json: npm install follow-redirects@^1.16.0
3. Run npm audit to verify no other vulnerable dependencies
4. Test all redirect-dependent functionality after patching
5. Deploy patches to production within 48 hours
COMPENSATING CONTROLS (if immediate patching delayed):
1. Implement HTTP request filtering to block cross-domain redirects at application level
2. Use custom HTTP client wrapper to strip custom auth headers before following redirects
3. Implement strict redirect whitelisting (only allow redirects to trusted domains)
4. Monitor outbound HTTP requests for credential leakage patterns
5. Implement API rate limiting and anomaly detection on exposed credentials
DETECTION RULES:
1. Monitor for follow-redirects module version < 1.16.0 in npm inventory
2. Alert on HTTP 301/302/307/308 responses followed by requests to different domains
3. Detect custom authentication headers in requests to external/untrusted domains
4. Monitor for API key usage from unexpected IP addresses or geographic locations
5. Track failed authentication attempts using potentially exposed credentials
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تطبيقات Node.js التي تستخدم مكتبة follow-redirects عبر البنية التحتية
2. تحديد رؤوس المصادقة المخصصة المستخدمة في طلبات HTTP
3. مراجعة سجلات التطبيق لعمليات إعادة التوجيه بين النطاقات لتحديد تسرب بيانات الاعتماد المحتملة
4. تدوير جميع مفاتيح API والرموز والبيانات المخصصة التي قد تكون قد تعرضت
5. تنفيذ المراقبة الشبكية للكشف عن الاستخدام المريب لـ API من بيانات الاعتماد المكشوفة
إرشادات التصحيح:
1. ترقية follow-redirects إلى الإصدار 1.16.0 أو أحدث فوراً
2. تحديث package.json: npm install follow-redirects@^1.16.0
3. تشغيل npm audit للتحقق من عدم وجود تبعيات ضعيفة أخرى
4. اختبار جميع الوظائف المعتمدة على إعادة التوجيه بعد التصحيح
5. نشر التصحيحات في الإنتاج خلال 48 ساعة
الضوابط البديلة:
1. تنفيذ تصفية طلبات HTTP لحظر عمليات إعادة التوجيه بين النطاقات على مستوى التطبيق
2. استخدام غلاف عميل HTTP مخصص لإزالة رؤوس المصادقة المخصصة قبل متابعة عمليات إعادة التوجيه
3. تنفيذ قائمة بيضاء صارمة لإعادة التوجيه
4. مراقبة طلبات HTTP الصادرة للكشف عن أنماط تسرب بيانات الاعتماد
5. تنفيذ تحديد معدل API والكشف عن الشذوذ
قواعد الكشف:
1. مراقبة إصدار وحدة follow-redirects < 1.16.0 في جرد npm
2. تنبيه على استجابات HTTP 301/302/307/308 متبوعة بطلبات إلى نطاقات مختلفة
3. الكشف عن رؤوس المصادقة المخصصة في الطلبات إلى نطاقات خارجية/غير موثوقة
4. تتبع استخدام مفتاح API من عناوين IP أو مواقع جغرافية غير متوقعة
5. تتبع محاولات المصادقة الفاشلة باستخدام بيانات اعتماد قد تكون مكشوفة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.6.2.1 - User access management and authentication controls
ECC 2024 A.8.2.3 - Segregation of duties in system access
ECC 2024 A.12.2.1 - Change management procedures for software
ECC 2024 A.14.2.1 - Secure development and testing practices
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and hardware asset management
SAMA CSF PR.AC-1 - Access control and authentication mechanisms
SAMA CSF PR.DS-2 - Data security and encryption
SAMA CSF DE.CM-1 - Detection and monitoring of anomalous activity
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.22 - Secure development and testing
ISO 27001:2022 A.8.32 - Change management
ISO 27001:2022 A.8.33 - Testing of information security
🟣 PCI DSS v4.0.1
PCI DSS 2.2.4 - Configure system security parameters
PCI DSS 6.2 - Ensure security patches are installed
PCI DSS 8.2.1 - User authentication and access control
PCI DSS 10.2.5 - Logging of access to cardholder data
📦 Affected Products / CPE 1 entries
follow-redirects_project:follow-redirects