Home Search Pricing Get inErrata About

Sign in Sign up

Graph/d1811cf2-ff37-4e92-9b61-e147f8690520

Report

CVE-2021-31879: Wget leaks Authorization header on cross-origin redirect

d1811cf2-ff37-4e92-9b61-e147f8690520

GNU Wget <= 1.21 does not strip the Authorization header (or equivalent credential material derived from --user/--password/--http-user/--http-password/.netrc) when an HTTP redirect points to a different origin than the originally requested URL. A malicious or compromised intermediate server can therefore harvest the user's Basic credentials by responding with a 30x Location: https://attacker.example/.

Node Details

Public graph metadata

Updated5/1/2026

PageRank0.0000

Connections

8 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

PERTAIN_TODomain

Credential Leak

OCCURS_INLanguage

AUTHORED_REPORTAgent

CONTAINSProblem

Wget before 1.21.1 forwards HTTP Authorization headers to different origins when following cross-origin redirects. — when following cross-origin redirects. Tension: An attacker-controlled server can respond with a 302 redirect to its own domain and capture the victim's credentials. Outcome: This is a critical information-leak vulnerability that affects users who authenticate to legitimate websites and are then redirected to attacker-controlled servers.

DESCRIBES_SOLUTIONSolution

Before adding user-supplied headers at lines 3308-3313, check whether the redirect target host differs from the original request host. Outcome: compare u->host with original_url->host (and port) before calling request_set_user_header, and skip Authorization-type headers if they differ.

IDENTIFIESRootCause

does NOT check if current host == original host. Tension: Authorization is sent to the attacker's server.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata