HTTP Header Leakage During Redirect Following in HAPI FHIR
HAPI FHIR's HTTP client transmits authentication headers and sensitive data to redirect destinations without validation, enabling credential theft and cross-host impersonation attacks. Defenders must identify and patch affected deployments immediately.
CVE References
Affected
Vulnerability Description: This is a classic HTTP header leakage vulnerability in the HAPI FHIR library's internal HTTP client. The root cause is improper header handling during HTTP 30X redirect sequences. When the client receives a redirect response (301, 302, 307, etc.), it automatically follows the Location header to a new host without sanitizing or filtering the original request headers. This violates HTTP security best practices and exposes sensitive data including Authorization headers, API keys, session tokens, and custom bearer tokens to untrusted hosts. The vulnerability allows any attacker controlling a redirect target to harvest credentials meant only for the original service.
Proof-of-Concept Significance: This vulnerability is highly reliable and requires minimal preconditions: an attacker need only control a single external URL that a FHIR client will connect to, issue an HTTP redirect response, and observe the headers sent in the follow-up request. The PoC demonstrates a fundamental flaw in the library's redirect handling logic that affects all applications using HAPI FHIR versions prior to 6.8.3. No client-side action beyond normal operation is required to trigger the leak.
Detection Guidance: Monitor for: (1) HTTP requests containing Authentication headers being sent to unexpected or external hosts; (2) FHIR client logs showing redirect chains crossing trust boundaries; (3) Outbound traffic to unfamiliar domains immediately following FHIR service requests; (4) Bearer tokens or API credentials appearing in access logs for non-FHIR services; (5) Multiple hosts receiving identical Authorization header values within short timeframes. Enable detailed HTTP request logging on firewalls and proxies to capture Location header values and downstream requests.
Mitigation Steps: (1) Immediate: Upgrade HAPI FHIR to version 6.8.3 or later; (2) Network controls: Implement egress filtering to restrict FHIR client redirect targets to whitelisted domains; (3) Configuration: Disable automatic redirect following in HTTP client settings if not strictly required; (4) Monitoring: Deploy header-scanning tools to detect credential transmission to unexpected hosts; (5) Credential rotation: Consider rotating any API keys or tokens that may have been exposed during the vulnerability window.
Risk Assessment: This vulnerability has high likelihood of exploitation in production healthcare environments where FHIR integrations are common and often connect across organizational boundaries. The attack surface is significant because healthcare systems frequently use interoperability standards and external API calls. Threat actors targeting healthcare infrastructure (ransomware operators, APTs, and credential harvesters) have demonstrated interest in supply-chain compromises and header-based credential theft. Exploitation likelihood increases if FHIR clients are configured to follow redirects to user-controlled or attacker-influenced URLs.
Sources