Cyber Resilience

CVE-2025-21620

High

Published: 06 January 2025

Published
06 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0026 50.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21620 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2025-21620 affects Deno, a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The vulnerability resides in Deno's fetch() redirect handling: when a request including an Authorization header is sent to one domain and the response redirects to a different domain, the follow-up request retains the original Authorization header, leaking its contents to the second domain. This issue, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), impacts Deno versions prior to 2.1.2 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Attackers can exploit this remotely without privileges or user interaction by controlling the initial domain that receives the fetch request with an Authorization header—such as through user-supplied URLs, misconfigured endpoints, or crafted links—and responding with a redirect to a second attacker-controlled domain. The preserved header then discloses sensitive credentials like API tokens or passwords to the attacker, enabling unauthorized access to protected resources on the victim's behalf. The low attack complexity and network accessibility make it suitable for broad exploitation campaigns.

Deno has fixed this vulnerability in version 2.1.2. Security advisories recommend immediate upgrades to patched versions to prevent credential leakage during cross-domain redirects. Additional details are available in the GitHub Security Advisory at https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6.

EU & UK References

Vulnerability details

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect…

more

request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Vulnerability directly enables theft of application access tokens/API credentials via Authorization header leakage on cross-domain redirects.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33745Shared CWE-200
CVE-2026-33180Shared CWE-200
CVE-2026-40895Shared CWE-200
CVE-2026-34969Shared CWE-200
CVE-2025-70963Shared CWE-200
CVE-2026-26069Shared CWE-200
CVE-2024-13796Shared CWE-200
CVE-2025-27784Shared CWE-200
CVE-2025-26001Shared CWE-200
CVE-2026-42826Shared CWE-200

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the flaw in Deno's fetch() redirect handling to prevent Authorization header leakage to unauthorized domains.

prevent

Filters sensitive information such as Authorization headers from outgoing requests during cross-domain redirects to block leakage to unauthorized actors.

prevent

Enforces information flow control policies to restrict transmission of sensitive credentials to only approved domains, mitigating unauthorized exposure during redirects.

References