CVE-2025-21620 – Deno's fetch() redirect handling leaks Authoriz... (How to Fix)

📋 TL;DR

Deno's fetch() redirect handling leaks Authorization headers to unintended domains when following cross-domain redirects. This allows sensitive authentication tokens to be exposed to third-party servers. All Deno applications using fetch() with Authorization headers are affected.

💻 Affected Systems

Products:

Deno

Versions: All versions before 2.1.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using fetch() with Authorization headers that encounter cross-domain redirects.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authentication tokens (JWT, API keys, session cookies) are sent to malicious domains, enabling account takeover, data theft, and lateral movement.

🟠

Likely Case

Accidental credential leakage to legitimate but unintended third-party services during normal redirect flows.

🟢

If Mitigated

Limited exposure if applications use short-lived tokens, validate redirect destinations, or avoid sensitive headers in fetch requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to control redirect destination or intercept legitimate redirect flow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.2

Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6

Restart Required: No

Instructions:

1. Update Deno: deno upgrade --version 2.1.2
2. Update dependencies in deno.json
3. Test fetch() redirect behavior

🔧 Temporary Workarounds

Manual redirect handling

all

Disable automatic redirects and handle redirects manually without forwarding Authorization headers

fetch(url, { redirect: 'manual' }) // Then handle Location header manually

Strip sensitive headers

all

Remove Authorization header before following redirects programmatically

🧯 If You Can't Patch

Implement server-side redirect validation to prevent cross-domain redirects
Use short-lived tokens and implement token revocation mechanisms

🔍 How to Verify

Check if Vulnerable:

Check Deno version: if below 2.1.2 and using fetch() with Authorization headers, assume vulnerable

Check Version:

deno --version

Verify Fix Applied:

Test fetch() with Authorization header to cross-domain redirect and verify header isn't forwarded

📡 Detection & Monitoring

Log Indicators:

Unexpected cross-domain requests with Authorization headers
Failed authentication after redirects

Network Indicators:

Authorization headers sent to unexpected domains in redirect chains

SIEM Query:

http.method:GET AND http.headers.authorization:* AND NOT destination.domain:expected-domain

📊 Metadata

CVE ID: CVE-2025-21620

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.17% exploit probability (37.9th percentile)

Published: January 6, 2025

Last Updated: January 6, 2025

🔗 References

https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21620, you might also want to check these: