GHSA-r4q5-vmmm-2653: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets

April 14, 2026

When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.

Since follow-redirects is the redirect-handling dependency for axios (105K+ stars), this vulnerability affects the entire axios ecosystem.

References

github.com/advisories/GHSA-r4q5-vmmm-2653
github.com/follow-redirects/follow-redirects
github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9
github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653

Code Behaviors & Features

Detect and mitigate GHSA-r4q5-vmmm-2653 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →