Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| deno_fetch(crates.io) | 0.0.1 | 0.204.0 | N/A |
| deno(crates.io) | 0 | N/A | N/A |
| deno(crates.io) | 2.0.0 | 2.1.2 | N/A |
CVSS Metrics
