[GHSA-cxjh-pqwp-8mfp] follow-redirects' Proxy-Authorization header kept across hosts

[ljharb]

Updates

• Affected products

Comments
Empirical POC-based runtime testing confirms follow-redirects 0.0.1-0.0.5 do not leak Proxy-Authorization on cross-host redirects - same mechanism as GHSA-74fj-2j2h-c42q: the redirect code path in those versions does not forward any headers on cross-host redirects (0.0.1-0.0.3 forwards nothing at all; 0.0.4-0.0.5 has no cross-host code path). Cross-host header forwarding landed in 0.0.6.

[github]

Hi there @RubenVerborgh! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the advisory metadata for GHSA-cxjh-pqwp-8mfp to reflect that the vulnerable behavior (Proxy-Authorization retained across hosts) was introduced later than previously recorded.

Changes:

• Adjusted the advisory’s modified timestamp
• Corrected the introduced version boundary for the affected range

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The modified timestamp only advanced by 2 seconds. If this repo expects modified to reflect the time of the substantive content change (often matching commit time), consider updating it to the actual edit time rather than a minimal delta; this helps consumers and tooling detect meaningful updates.

Suggested change

	"modified": "2024-04-02T17:54:22Z",
	"modified": "2024-04-02T18:10:00Z",