Michaelmainer

**Name of the Vulnerable Software and Affected Versions** microsoft-kiota-http-okHttp versions 1.9.0 and earlier kiota-dotnet (affected versions not specified) kiota-java (affected versions not specified) kiota-python (affected versions not specified) kiota-typescript (affected versions not specified) kiota-http-go (affected versions not specified) **Description** The RedirectHandler middleware fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. While the Authorization header is removed, other sensitive headers including `Cookie`, `Proxy-Authorization`, and custom headers are forwarded to the redirect target. This occurs within the `getRedirect()` function. An attacker capable of triggering a cross-origin redirect from a trusted API could capture session cookies, proxy credentials, and API keys from the redirected request, potentially leading to session hijacking or credential theft. **Recommendations** Update microsoft-kiota-http-okHttp to a version later than 1.9.0. At the moment, there is no information about a newer version that contains a fix for this vulnerability for kiota-dotnet, kiota-java, kiota-python, kiota-typescript, and kiota-http-go.