## CVE-2022-0536: Low-Severity Leak in 'follow-redirects' NPM Package Affects Axios
A low-severity vulnerability, tracked as CVE-2022-0536, has been detected in a widely used JavaScript library. The flaw resides in versions of the `follow-redirects` npm package prior to 1.14.8, which is a core dependency for handling HTTP redirects. The vulnerability is classified as an "Improper Removal of Sensitive Information Before Storage or Transfer," indicating a risk that sensitive data could be inadvertently exposed during the redirect process.

The issue was formally published in February 2022 but remains present in specific dependency chains. In this instance, the vulnerable library `follow-redirects-1.5.10.tgz` is a direct dependency of the popular HTTP client `axios-0.19.2.tgz`. This creates a potential exposure path for any application relying on this specific version of Axios, as it inherits the vulnerability from its underlying redirect-handling component. The vulnerability's description from the Mend vulnerability database is noted to differ from the official MITRE entry, adding a layer of ambiguity to its exact nature and impact.

While rated as low severity, the presence of this flaw in a foundational network library underscores the persistent challenge of securing complex software supply chains. It places scrutiny on projects using older versions of Axios and highlights the need for consistent dependency updates, even for vulnerabilities that may not present an immediate, high-risk threat. The path to the dependency file is identified as `/package.json`, confirming the issue's integration at the project's root configuration level.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2022-0536, npm, axios, supply-chain, vulnerability
- **Credibility**: unverified
- **Published**: 2026-04-12 04:22:42
- **ID**: 60410
- **URL**: https://whisperx.ai/en/intel/60410