CVE-2026-49336

Name of the Vulnerable Software and Affected Versions @microsoft/kiota-http-fetchlibrary versions 1.0.0-preview.97 through 1.0.0-preview.101

Description The RedirectHandler in the library fails to properly remove sensitive headers during cross-origin redirects. While it is intended to strip Authorization and Cookie headers, the default scrubSensitiveHeaders callback in RedirectHandlerOptions performs case-sensitive deletion. Because the FetchRequestAdapter.getRequestFromRequestInformation function has already converted headers to lowercase, the deletion attempts target non-existent keys. Consequently, the scrubbing process is ineffective, allowing Bearer tokens or Cookies to be forwarded to attacker-controlled hosts during a 30x redirect. This issue affects the default middleware chain (MiddlewareFactory.getDefaultMiddlewares) and any TypeScript SDK using BaseBearerTokenAuthenticationProvider or other providers that set the Authorization header.

Recommendations Update to version 1.0.0-preview.102.