follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
1.15.2+~1.14.1-11.15.3+~1.14.2-11.15.6+~1.14.4-11.15.9+~1.14.4-11.15.11+~1.14.4-1build11.15.9+~1.14.4-11.2.4-11.2.4-1ubuntu0.18.04.1~esm11.2.4-11.2.4-1ubuntu0.20.04.1~esm11.13.1-11.14.5-11.14.7+~1.13.1-11.14.8+~1.14.0-11.14.9+~1.14.1-11.14.9+~1.14.1-1ubuntu0.1~esm1Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:LVI:NVA:NSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N