CVE-2025-21620

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.1.2

Description Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When a request with the Authorization header is sent to one domain and the response asks to redirect to a different domain, Deno's fetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain.

Recommendations For Deno versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue. As a temporary workaround, consider disabling the fetch() function's redirect handling for sensitive requests until a patch is available. Restrict access to the fetch() API to minimize the risk of exploitation. Avoid using the Authorization header in requests that may be redirected to different domains until the issue is resolved.