Executive Summary

This vulnerability is a Sensitive Data Exposure issue in the benoitc hackney HTTP client library, specifically in its HTTP/3 redirect handler (hackney_h3.erl). When a client makes an HTTP/3 request with the follow_redirect option enabled and includes sensitive headers like Authorization or Cookie, the client forwards these headers unchanged to the redirect target, even if the redirect points to a different host. This happens because the HTTP/3 redirect handler does not perform any cross-origin checks before forwarding the headers.

While the main hackney module has a mechanism (maybe_strip_auth_on_redirect/2) to prevent this by stripping authentication headers on redirects to untrusted locations, this protection is missing in the HTTP/3 redirect handler, leading to potential exposure of sensitive credentials to unintended hosts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the unintended disclosure of sensitive credentials such as Authorization tokens or Cookies to third-party or malicious hosts when an HTTP/3 redirect occurs. If an attacker controls or monitors the redirect target, they could capture these credentials and use them to impersonate the user or gain unauthorized access to protected resources.

This exposure increases the risk of account compromise, data breaches, and unauthorized actions performed on behalf of the user, potentially leading to further security incidents.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows sensitive data such as Authorization or Cookie headers to be forwarded to unintended third-party origins without proper cross-origin checks. This exposure of sensitive credentials can lead to unauthorized access or data leakage.

Such exposure of sensitive data can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over the handling and sharing of personal and sensitive information to prevent unauthorized disclosure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the HTTP/3 client in the hackney library forwarding Authorization, Cookie, and Proxy-Authorization headers to cross-origin redirect targets without validation when follow_redirect is enabled.

To detect this vulnerability on your network or system, you can monitor HTTP/3 traffic for 3xx redirect responses where requests include sensitive headers such as Authorization or Cookie, and verify if these headers are being sent to a different host than the original request.

Commands or methods to detect this behavior could include:

• Using packet capture tools like tcpdump or Wireshark to capture HTTP/3 traffic and inspect redirect requests and headers.
• Example tcpdump command to capture HTTP/3 traffic (UDP port 443):
• tcpdump -i <interface> udp port 443 -w capture.pcap
• Analyze the capture with Wireshark or similar tools to check for 3xx redirect responses and subsequent requests forwarding Authorization or Cookie headers to different hosts.
• If you have access to application logs or can enable debug logging in hackney, look for requests with follow_redirect enabled and verify if credentials are forwarded to cross-origin URLs.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the hackney library to version 4.0.1 or later, where the vulnerability has been fixed.

The fix ensures that Authorization, Cookie, and Proxy-Authorization headers are stripped when redirecting to a different origin unless explicitly allowed via the location_trusted option.

If upgrading immediately is not possible, consider disabling the follow_redirect option in HTTP/3 requests to prevent automatic forwarding of credentials to redirect targets.

Additionally, review and audit your usage of the location_trusted option to ensure it is not set in a way that bypasses these protections.

Useful 0 Not Useful 0