CVE-2025-21620
Published: 06 January 2025
Summary
CVE-2025-21620 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the flaw in Deno's fetch() redirect handling to prevent Authorization header leakage to unauthorized domains.
Filters sensitive information such as Authorization headers from outgoing requests during cross-domain redirects to block leakage to unauthorized actors.
Enforces information flow control policies to restrict transmission of sensitive credentials to only approved domains, mitigating unauthorized exposure during redirects.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables theft of application access tokens/API credentials via Authorization header leakage on cross-domain redirects.
NVD Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect…
more
request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.
Deeper analysisAI
CVE-2025-21620 affects Deno, a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The vulnerability resides in Deno's fetch() redirect handling: when a request including an Authorization header is sent to one domain and the response redirects to a different domain, the follow-up request retains the original Authorization header, leaking its contents to the second domain. This issue, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), impacts Deno versions prior to 2.1.2 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Attackers can exploit this remotely without privileges or user interaction by controlling the initial domain that receives the fetch request with an Authorization header—such as through user-supplied URLs, misconfigured endpoints, or crafted links—and responding with a redirect to a second attacker-controlled domain. The preserved header then discloses sensitive credentials like API tokens or passwords to the attacker, enabling unauthorized access to protected resources on the victim's behalf. The low attack complexity and network accessibility make it suitable for broad exploitation campaigns.
Deno has fixed this vulnerability in version 2.1.2. Security advisories recommend immediate upgrades to patched versions to prevent credential leakage during cross-domain redirects. Additional details are available in the GitHub Security Advisory at https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6.
Details
- CWE(s)