AIKIDO-2026-291630
axios is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
75
High Risk
This Affects:
axiosTL;DR
The Node.js HTTP adapter follows redirects through follow-redirects, which strips standard credential headers such as Authorization on cross-origin hops but leaves caller-defined secret headers like X-API-Key untouched. A server that responds with a cross-origin redirect can therefore receive custom API keys, AWS session tokens, or other internal credentials that were meant only for the original host. In shared-instance setups where secret headers are set by default, this can leak live credentials to the redirect destination. Version 1.18.0 adds the opt-in sensitiveHeaders request option so listed custom headers are removed on cross-origin redirects with case-insensitive matching and fail-closed origin checks.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your Node.js application sends custom secret-bearing headers through axios that follows cross-origin redirects without listing those headers in sensitiveHeaders.
Background info
axios is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in versions 0.19.1 - 1.17.0.
How to fix this
Upgrade the axios library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant