AIKIDO-2026-11103
oauth2 is vulnerable to Exposure of Sensitive Information
86
High Risk
This Affects:
oauth2TL;DR
The OAuth2::Client#request method resolves HTTP 30x redirect Location headers with URI#merge and re-issues the request without revalidating the target host or pruning credentials. A protocol-relative location such as //attacker.example/leak is treated as a network-path reference that replaces the original authority, so the follow-up request is sent to an attacker-controlled host while still carrying the Authorization: Bearer header configured for the trusted identity provider. This discloses the bearer token cross-origin with no user interaction, exploitable via IdP open redirects, hostile multi-tenant configurations, or a network-position attacker rewriting response headers. The fix neutralizes protocol-relative locations before merging and strips Authorization headers when a redirect changes scheme, host, or port.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
oauth2 is vulnerable to Exposure of Sensitive Information in versions 0.4.0 - 2.0.21.
How to fix this
Upgrade the oauth2 library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant