CVE-2022-24719 is a vulnerability affecting versions 4.0.0 and 4.0.1 of fluture-node, a functional programming style HTTP and streaming utility library for Node.js based on fluture-js. The issue arises when using the `followRedirects` or `followRedirectsWith` functions with the built-in redirection strategies. Specifically, if an HTTP request contains confidential headers such as Authorization or Cookie and the destination server issues a redirect to a different domain (a third-party origin) or to the same domain over an unencrypted HTTP connection, these sensitive headers are included in the redirected request. This behavior exposes private personal information to unauthorized actors, either by sending it to an unintended third-party server or by making it susceptible to interception via network sniffing on unencrypted HTTP traffic. The root cause is that the redirection strategies in versions 4.0.0 and 4.0.1 do not automatically redact or remove confidential headers when following redirects across origins or protocols. This can lead to leakage of authentication tokens or session cookies, potentially allowing attackers to hijack sessions or gain unauthorized access. The vulnerability was addressed in version 4.0.2, where the redirection strategies were updated to automatically redact confidential headers when redirects cross origins. Additionally, users of affected versions can implement a custom redirection strategy via `followRedirectsWith` to mitigate the issue by redacting sensitive headers before following redirects. There are no known exploits in the wild reported for this vulnerability, and no official patches beyond upgrading to version 4.0.2 or later. The vulnerability is classified under CWE-359, which relates to exposure of private personal information to unauthorized actors.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive authentication credentials or session tokens when using fluture-node versions 4.0.0 or 4.0.1 in their Node.js applications that perform HTTP requests with redirects. The exposure of Authorization or Cookie headers to third-party domains or over unencrypted HTTP can lead to session hijacking, unauthorized access to protected resources, and potential data breaches. This is particularly concerning for organizations handling personal data under GDPR, as unauthorized disclosure could lead to regulatory penalties and reputational damage. The impact is amplified in environments where microservices or third-party integrations rely on fluture-node for HTTP communication, especially if redirects are common and confidential headers are used. Although no active exploits are known, the ease of exploitation is moderate since an attacker would need to control or influence redirect destinations or intercept unencrypted traffic. The confidentiality of user credentials and session information is primarily at risk, while integrity and availability impacts are minimal. However, compromised credentials can indirectly lead to further attacks affecting integrity and availability. The scope includes any European organization using affected versions of fluture-node in production environments, particularly those in sectors with high security requirements such as finance, healthcare, and government.

1. Upgrade fluture-node to version 4.0.2 or later, where the redirection strategies automatically redact confidential headers when following redirects across origins. 2. If upgrading is not immediately feasible, implement a custom redirection strategy using `followRedirectsWith` that explicitly removes or redacts Authorization, Cookie, and other sensitive headers before following redirects to different domains or unencrypted HTTP URLs. 3. Audit all HTTP requests in applications using fluture-node to identify those that include confidential headers and follow redirects, ensuring they are handled securely. 4. Enforce HTTPS usage strictly to prevent exposure of headers over unencrypted connections; consider implementing HTTP Strict Transport Security (HSTS) policies. 5. Monitor network traffic for unexpected outbound requests containing sensitive headers to unknown or third-party domains. 6. Educate developers on the risks of automatic header forwarding during redirects and encourage secure coding practices around HTTP client usage. 7. Review and limit the use of confidential headers in requests that may be redirected, avoiding sending sensitive headers unless absolutely necessary. 8. Incorporate security testing and code reviews focusing on HTTP client behavior and redirect handling in CI/CD pipelines.