CVE-2022-0155: High-Severity Data Exposure in follow-redirects Library Affects Axios

A high-severity vulnerability (CVE-2022-0155) has been detected in the widely used `follow-redirects` npm library, exposing private personal information to unauthorized actors. The flaw, with a CVSS score of 8.0, resides in version 1.5.10 of the library, which is a core dependency for handling HTTP and HTTPS redirects. This critical exposure point is not isolated; it directly impacts the popular `axios` HTTP client (version 0.19.2), which depends on the vulnerable `follow-redirects` package, creating a significant supply chain risk for countless Node.js applications.

The vulnerability's path is clear: the `axios-0.19.2.tgz` library is the root dependency that pulls in the compromised `follow-redirects-1.5.10.tgz`. This dependency hierarchy means any project using this specific version of axios inherits the exposure risk automatically. The flaw, publicly disclosed on January 10, 2022, allows for the unauthorized access of sensitive personal data through the library's redirect-following mechanism, a fundamental function for web communication.

The presence of this high-severity issue in a foundational networking library places immediate pressure on development and security teams to audit their dependency trees. Organizations relying on the affected axios version must prioritize applying the suggested fix to mitigate the risk of data leakage. This incident underscores the persistent security challenges within open-source software supply chains, where a single vulnerable transitive dependency can compromise the integrity of major application frameworks and the data they process.