CVE-2025-21620

CVE-2025-21620 affects Deno, a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The vulnerability resides in Deno's fetch() redirect handling: when a request including an Authorization header is sent to one domain and the response redirects to a different domain, the follow-up request retains the original Authorization header, leaking its contents to the second domain. This issue, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), impacts Deno versions prior to 2.1.2 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Attackers can exploit this remotely without privileges or user interaction by controlling the initial domain that receives the fetch request with an Authorization header—such as through user-supplied URLs, misconfigured endpoints, or crafted links—and responding with a redirect to a second attacker-controlled domain. The preserved header then discloses sensitive credentials like API tokens or passwords to the attacker, enabling unauthorized access to protected resources on the victim's behalf. The low attack complexity and network accessibility make it suitable for broad exploitation campaigns.

Deno has fixed this vulnerability in version 2.1.2. Security advisories recommend immediate upgrades to patched versions to prevent credential leakage during cross-domain redirects. Additional details are available in the GitHub Security Advisory at https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6.