Skip to content

fix: update @microsoft/kiota-http-fetchlibrary to resolve security vulnerability GHSA-396q-4vc8-28x9#492

Merged
gavinbarron merged 1 commit into
mainfrom
fix/kiota-http-fetchlibrary-security-update
May 26, 2026
Merged

fix: update @microsoft/kiota-http-fetchlibrary to resolve security vulnerability GHSA-396q-4vc8-28x9#492
gavinbarron merged 1 commit into
mainfrom
fix/kiota-http-fetchlibrary-security-update

Conversation

@gavinbarron
Copy link
Copy Markdown
Member

@gavinbarron gavinbarron commented May 26, 2026

Summary

This PR updates @microsoft/kiota-http-fetchlibrary and other outdated npm dependencies to resolve a critical security vulnerability (GHSA-396q-4vc8-28x9).

Issue

Fixes #491

Security Vulnerability Details

GHSA-396q-4vc8-28x9: Bearer token leak across origin in RedirectHandler

The vulnerability affects @microsoft/kiota-http-fetchlibrary versions 1.0.0-preview.97 through 1.0.0-preview.101.

Root Cause

The RedirectHandler's default scrubbing callback uses case-sensitive property deletion on a headers object that has already been lower-cased by the request adapter. This causes sensitive headers (Authorization, Cookie) to not be properly removed during cross-origin redirects.

Impact

  • Bearer tokens in Authorization headers are leaked to attacker-controlled hosts during HTTP redirects
  • Affects all kiota-generated TypeScript SDKs using authentication providers
  • Applies to the default middleware chain with no custom configuration required
  • No user interaction needed to trigger the vulnerability

Fix

Update @microsoft/kiota-http-fetchlibrary from 1.0.0-preview.100 to 1.0.0-preview.102

Changes

  • Updated @microsoft/kiota-http-fetchlibrary to 1.0.0-preview.102
  • Updated all other outdated dependencies to their latest versions
  • These changes ensure proper scrubbing of sensitive headers during cross-origin redirects

References

@gavinbarron gavinbarron requested a review from a team as a code owner May 26, 2026 18:25
@gavinbarron
chore: update kiota-http-fetchlibrary and other outdated dependencies
8704f61 
- Update @microsoft/kiota-http-fetchlibrary from 1.0.0-preview.100 to 1.0.0-preview.102
- Fixes GHSA-396q-4vc8-28x9: Bearer token leak across origin in RedirectHandler
- Updates all other outdated npm dependencies to latest versions
- Resolves security vulnerability where Authorization headers were leaked during cross-origin redirects

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gavinbarron gavinbarron force-pushed the fix/kiota-http-fetchlibrary-security-update branch from 5fc3c78 to 8704f61 Compare May 26, 2026 18:30
@gavinbarron gavinbarron merged commit 8973486 into main May 26, 2026
8 checks passed
@gavinbarron gavinbarron deleted the fix/kiota-http-fetchlibrary-security-update branch May 26, 2026 18:56
@release-please-token-provider release-please-token-provider Bot mentioned this pull request May 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peombwa peombwa peombwa approved these changes

@MIchaelMainer MIchaelMainer MIchaelMainer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Update @microsoft/kiota-http-fetchlibrary to fix bearer token leak (GHSA-396q-4vc8-28x9)

3 participants

@gavinbarron @peombwa @MIchaelMainer