https://bugzilla.suse.com/show_bug.cgi?id=1235154 Bug ID: 1235154 Summary: VUL-0: CVE-2025-21620: wasm-bindgen: deno: 'Authorization' header not dropped when fetch() handles cross-origin redirects Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/435013/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: opensuse_buildservice@ojkastl.de Reporter: camila.matos@suse.com QA Contact: security-team@suse.de CC: camila.matos@suse.com, security-team@suse.de, smash_bz@suse.de Blocks: 1235152 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1235152 +++ Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno's fetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-21620 https://www.cve.org/CVERecord?id=CVE-2025-21620 https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6 -- You are receiving this mail because: You are on the CC list for the bug.