Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14NTY1LTMycXAtbTN2Zs4AA67m
phin may include sensitive headers in subsequent requests after redirect
Impact
Users may be impacted if sending requests including sensitive data in specific headers with followRedirects enabled.
Patches
The follow-redirects library is now being used for redirects and removes some headers that may contain sensitive information in some situations.
Workarounds
N/A. Please update to resolve the issue.
Permalink: https://github.com/advisories/GHSA-x565-32qp-m3vfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14NTY1LTMycXAtbTN2Zs4AA67m
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 20 days ago
Updated: 20 days ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Identifiers: GHSA-x565-32qp-m3vf
References:
- https://github.com/ethanent/phin/security/advisories/GHSA-x565-32qp-m3vf
- https://github.com/ethanent/phin/commit/c071f95336a987dad9332fd388adeb249925cc57
- https://github.com/advisories/GHSA-x565-32qp-m3vf
Blast Radius: 22.1
Affected Packages
npm:phin
Dependent packages: 268Dependent repositories: 134,627
Downloads: 5,107,728 last month
Affected Version Ranges: < 3.7.1
Fixed in: 3.7.1
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 2.0.0, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.81, 2.2.90, 2.2.91, 2.2.92, 2.2.93, 2.2.94, 2.2.95, 2.3.11, 2.4.18, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.6.0, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.7.0
All unaffected versions: 3.7.1, 4.0.0