CVE-2025-21620 Information

Description

Deno is a JavaScript TypeScript and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain and the response asks to redirect to a different domain Deno’sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header leaking its content to that second domain. This vulnerability is fixed in 2.1.2.

Reference

https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6