Miggo Logo
Miggo Vulnerability Database
CVE-2022-0155

CVE-2022-0155: Exposure of sensitive information in follow-redirects

8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2022-0155
GHSA ID
GHSA-74fj-2j2h-c42q
EPSS Score
0.74718%
CWE
CWE-359
Published
1/12/2022
Updated
2/12/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
follow-redirectsnpm< 1.14.71.14.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit 8b347cb explicitly modifies the header removal logic in _processResponse to include the Cookie header. The vulnerability stems from sensitive headers being forwarded to unauthorized domains during redirects. The patch adds Cookie to the headers being stripped, confirming this was the vulnerable code path. The CWE-359 classification and advisory descriptions about PII exposure align with this cookie leakage scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ollow-r**ir**ts is vuln*r**l* to *xposur* o* Priv*t* P*rson*l In*orm*tion to *n Un*ut*oriz** **tor

Reasoning

T** *it*u* *ommit ******* *xpli*itly mo*i*i*s t** *****r r*mov*l lo*i* in `_pro**ssR*spons*` to in*lu** t** *ooki* *****r. T** vuln*r**ility st*ms *rom s*nsitiv* *****rs **in* *orw*r*** to un*ut*oriz** *om*ins *urin* r**ir**ts. T** p*t** ***s *ooki*