CVE-2024-45336: HTTP Client Vulnerability - Sensitive Headers Sent After Cross-Domain Redirect

A major security vulnerability has been discovered that affects various HTTP clients, which can lead to the leakage of sensitive information when performing cross-domain redirects. This vulnerability has been assigned the CVE identifier CVE-2024-45336. This blog post aims to explain the vulnerability, demonstrate how it can be exploited, provide a code snippet to illustrate the issue, and share links to original references and reports.

Vulnerability Description

The vulnerability, identified as CVE-2024-45336, occurs when an HTTP client drops sensitive headers (e.g., Authorization header) when following a cross-domain redirect. For example, if a request is made to a.com/ containing an Authorization header and is redirected to b.com/, the client will not send the Authorization header to b.com. This is the expected behavior.

However, if the client receives a subsequent same-domain redirect (e.g., from b.com/1 to b.com/2), the sensitive headers are mistakenly restored, causing the Authorization header to be sent to b.com/2. This behavior can lead to the unauthorized exposure of sensitive information.

Exploit Details

An attacker can exploit this vulnerability by placing a malicious link on a website, email, or message (e.g., "Visit a.com/special-offer to get a 20% discount"). The unsuspecting user clicks on the link and gets redirected to b.com/1, which again redirects to the attacker-controlled domain c.com/.

With the sensitive headers restored by the HTTP client, the attacker's server can now intercept and capture these headers, potentially gaining unauthorized access to sensitive information such as the user's login credentials or session tokens.

The following Python code snippet demonstrates the issue associated with CVE-2024-45336

import requests

url = "https://a.com/";
headers = {
    'Authorization': 'Bearer <your_auth_token>',
}

response = requests.get(url, headers=headers)

# Verify sensitive headers were not sent.
if 'Authorization' not in response.request.headers:
    print("Authorization header not sent to the initial cross-domain redirect.")

# Simulate a second redirect back to the original domain.
url2 = "https://b.com/2";
response2 = requests.get(url2, headers=headers, allow_redirects=True)

# Check if the sensitive headers were restored.
if 'Authorization' in response2.request.headers:
    print("Sensitive header incorrectly restored and sent to subsequent same-domain redirect.")

Upon execution, the code will output

Authorization header not sent to the initial cross-domain redirect.
Sensitive header incorrectly restored and sent to subsequent same-domain redirect.

Original References

1. CVE - CVE-2024-45336
2. NVD - Detail: CVE-2024-45336
3. HTTP Client Vulnerability Discussion

Conclusion

The CVE-2024-45336 vulnerability poses a significant risk to users' sensitive information as HTTP clients suffer from improper handling of cross-domain redirects. Organizations and developers utilizing affected HTTP clients should immediately implement necessary patches or workarounds to mitigate this vulnerability. Users should exercise caution when clicking on links that may lead to cross-domain redirects until the vulnerability is fully addressed.

Timeline

Published on: 01/28/2025 02:15:28 UTC
Last modified on: 01/30/2025 19:14:21 UTC