CVE-2022-0155 in follow-redirects
Summary
by MITRE • 01/10/2022
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/16/2025
The CVE-2022-0155 vulnerability affects the follow-redirects npm package, which is widely used in JavaScript applications for handling HTTP redirects. This vulnerability stems from improper handling of redirect URLs that can lead to information disclosure when applications process redirects to external domains. The flaw specifically manifests when the package follows redirects without adequately sanitizing or validating the target URLs, potentially exposing sensitive data to unauthorized parties who control the redirect destinations.
The technical implementation of this vulnerability resides in the package's redirect processing logic where it fails to properly validate or sanitize redirect targets. When an application using follow-redirects encounters a redirect, the package may pass through or expose sensitive information from the original request to the redirected endpoint without proper security checks. This behavior creates an information exposure scenario that aligns with CWE-201, which describes the exposure of sensitive information to an unauthorized actor. The vulnerability is particularly concerning because follow-redirects is a dependency of numerous popular packages, amplifying its potential impact across the JavaScript ecosystem.
The operational impact of CVE-2022-0155 extends beyond individual applications to potentially compromise entire systems when applications using vulnerable versions of follow-redirects process redirects to malicious endpoints. Attackers who control redirect destinations can capture sensitive information such as authentication tokens, session cookies, API keys, or other personal data that gets transmitted during the redirect process. This vulnerability can be exploited in various attack scenarios including man-in-the-middle attacks, credential theft, or data exfiltration campaigns, making it a significant concern for organizations relying on JavaScript-based applications.
Organizations should immediately update to the patched version of follow-redirects to mitigate this vulnerability, as the fix typically involves implementing proper URL validation and sanitization mechanisms. Security teams should also conduct comprehensive vulnerability assessments to identify applications using affected versions of the package, and implement monitoring for suspicious redirect behaviors. The ATT&CK framework categorizes this vulnerability under T1566, which covers "Phishing" techniques, as it can be leveraged to facilitate information gathering attacks. Additionally, organizations should consider implementing network-level controls such as web application firewalls and outbound traffic filtering to detect and prevent unauthorized information disclosure attempts. Regular security audits of npm dependencies and maintaining up-to-date vulnerability scanning processes are essential practices to prevent similar exposure scenarios in the future.