GHSA-r4q5-vmmm-2653 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
GHSA-r4q5-vmmm-2653	MEDIUM	follow-redirects	1.15.11	1.16.0	2026-04-14T01:11:11Z	2026-04-14T10:18:18.530755696Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:f3c7f2bfd1d1d1abafd1ff79e277ff4573a00e127c215122452382e6a18d9230
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:6a71cc96455b1357273239aebf6b98a812fccadfed8f4693133e533d997abcac
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:f3c7f2bfd1d1d1abafd1ff79e277ff4573a00e127c215122452382e6a18d9230
public.ecr.aws/lambda/nodejs:20	public.ecr.aws/lambda/nodejs@sha256:a4440274d6f0fb4e6cb92cd5f2a97254efe6612f631d9974b197ecbd4a61fcab

---

Description

Summary

When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.

Since follow-redirects is the redirect-handling dependency for axios (105K+ stars), this vulnerability affects the entire axios ecosystem.

Affected Code

index.js, lines 469-476:

if (redirectUrl.protocol !== currentUrlParts.protocol &&
   redirectUrl.protocol !== "https:" ||
   redirectUrl.host !== currentHost &&
   !isSubdomain(redirectUrl.host, currentHost)) {
  removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
}

The regex only matches authorization, proxy-authorization, and cookie. Custom headers like X-API-Key are not matched.

Attack Scenario

1. App uses axios with custom auth header: headers: { 'X-API-Key': 'sk-live-secret123' }
2. Server returns 302 Location: https://evil.com/steal
3. follow-redirects sends X-API-Key: sk-live-secret123 to evil.com
4. Attacker captures the API key

Impact

Any custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.

Suggested Fix

Add a sensitiveHeaders option that users can extend, or strip ALL non-standard headers on cross-domain redirect.

Disclosure

Source code review, manually verified. Found 2026-03-20.

---

Remediation Steps

• Update the affected package follow-redirects from version 1.15.11 to 1.16.0.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.

[the-lambda-watchdog]

The vulnerability is no longer present in the latest Lambda Watchdog scans. Marking the issue as closed. 🤖