CVE-2022-1650: 
JavaScript vulnerability analysis and mitigation

CVE-2022-1650 is a vulnerability discovered in the EventSource NPM package (eventsource/eventsource) prior to version 2.0.2. The vulnerability was identified as an Improper Removal of Sensitive Information Before Storage or Transfer, where the module failed to honor the same-origin policy and would leak sensitive header information during redirects (NVD, Debian LTS).

The vulnerability has been assigned a CVSS v3.1 base score of 9.3 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. The issue specifically occurs when the EventSource client follows HTTP redirects to a different origin, where it fails to strip sensitive headers such as authorization and cookie information (GitHub Patch).

When exploited, this vulnerability could lead to the exposure of sensitive information such as authentication tokens and cookies to unauthorized domains. This occurs specifically when the EventSource client follows redirects to different origins, potentially allowing attackers to capture sensitive header information (Debian LTS).

The vulnerability has been fixed in version 2.0.2 of the eventsource package. The fix implements proper stripping of sensitive headers (authorization and cookie) when redirecting to a different origin. Users are recommended to upgrade to version 2.0.2 or later (GitHub Patch).