Miggo Logo

CVE-2022-1650: Exposure of Sensitive Information in eventsource

9.3

CVSS Score
3.1

Basic Information

EPSS Score
0.84394%
Published
5/13/2022
Updated
11/28/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
eventsourcenpm< 1.1.11.1.1
eventsourcenpm>= 2.0.0, < 2.0.22.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in the HTTP redirect handling within the EventSource implementation. Analysis of the patches shows:

  1. The EventSource constructor's connect method directly copied headers without origin validation in vulnerable versions
  2. Added 'hasNewOrigin' flag and removeUnsafeHeaders function in patches prove sensitive headers were previously forwarded
  3. The core vulnerability manifests in the header processing flow during redirects, which is encapsulated in the EventSource/connect call stack
  4. Runtime detection would see these functions in stack traces when handling redirects with sensitive headers

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n **t**in* *n url wit* * link to *n *xt*rn*l sit* (R**ir**t), t** us*rs *ooki*s & *utoris*tion *****rs *r* l**k** to t** t*ir* p*rty *ppli**tion. ***or*in* to t** s*m*-ori*in-poli*y, t** *****r s*oul* ** "s*nitiz**."

Reasoning

T** vuln*r**ility o**urs in t** *TTP r**ir**t **n*lin* wit*in t** *v*ntSour** impl*m*nt*tion. *n*lysis o* t** p*t***s s*ows: *. T** *v*ntSour** *onstru*tor's *onn**t m*t*o* *ir**tly *opi** *****rs wit*out ori*in v*li**tion in vuln*r**l* v*rsions *. *