@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, the RedirectHandler is intended to strip Authorization and Cookie headers from cross-origin redirect targets to prevent sensitive data leakage. However, the default scrubSensitiveHeaders callback uses case-sensitive deletion (e.g., delete headers.Authorization) on a headers object whose keys have already been lower-cased by FetchRequestAdapter.getRequestFromRequestInformation. As a result, the deletion attempts do not remove the intended headers, leaving Authorization and Cookie headers intact and forwarded to attacker-controlled hosts during 30x redirects. This vulnerability is present in the default middleware chain without custom configuration and affects any kiota-generated TypeScript SDK using BaseBearerTokenAuthenticationProvider or similar authentication providers. The issue is patched in version 1.0.0-preview.102.

Sensitive authentication headers such as Authorization (Bearer tokens) and Cookie headers may be unintentionally forwarded to attacker-controlled hosts during cross-origin HTTP redirects. This can lead to unauthorized disclosure of authentication credentials, potentially allowing attackers to impersonate users or gain unauthorized access to protected resources. The vulnerability affects all kiota-generated TypeScript SDKs using the affected versions and default middleware configurations that set these headers.

Upgrade to @microsoft/kiota-http-fetchlibrary version 1.0.0-preview.102 or later, where the issue is fixed. Until upgrading, be aware that the default middleware does not properly scrub sensitive headers on redirects, so consider implementing custom middleware to correctly handle header case sensitivity or avoid following cross-origin redirects that could leak sensitive headers.