All follow-redirects CVEs — Complete Vulnerability History
follow-redirects implements redirect-following for HTTP requests in Node.js. It's a transitive dependency of axios, webpack-dev-server, and many others. Its CVEs are mostly credential/header exposure on redirect.
npm
50M+ weekly downloads
3 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-0155 | 2022 | MEDIUM | Private data exposure via HTTP redirect | Fixed 1.14.7 |
| CVE-2023-26159 | 2023 | MEDIUM | URL redirect to untrusted site | Fixed 1.15.4 |
| CVE-2024-28849 | 2024 | MEDIUM | Proxy-Authorization header cleared on cross-host redirect | Fixed 1.15.6 |
Current safe version: 1.15.6
# Before
"follow-redirects": "1.15.2"
# After
"follow-redirects": "1.15.6"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is follow-redirects a direct or transitive dep?
Almost always transitive — it's pulled in by axios, webpack-dev-server, got, and many other packages. Use npm overrides to force a safe version if you can't update the parent package.
Does CVE-2023-26159 affect server-side code?
Yes — SSRF via redirect. If your server uses axios or another package that follows redirects with user-controlled URLs, you could be forwarded to internal services.