After the Anthropic disclosure, I decided to follow the pattern systematically. If credential handling on redirects was a problem in Claude Code, where else might it be hiding? I started looking at the most used HTTP libraries in the open source ecosystem - and what I found exceeded my expectations.
Over 30 reports in a few months. labstack/echo (30,000 GitHub stars), aio-libs/aiohttp (15,000 stars), AWS SageMaker SDK, follow-redirects (used by axios), sindresorhus/got, nodejs/undici, node-fetch, go-resty, Block OSS. Projects used by millions of developers every day. The vulnerability classes I found: credential leak on redirect, scheme injection, path traversal, integrity bypass.
Lessons from the trenches
The most important lesson: the most dangerous vulnerabilities are in components everyone takes for granted. An HTTP library with millions of weekly downloads leaking authentication headers during a redirect - the potential impact is enormous. But nobody thinks of testing their HTTP library because "it works."
The second lesson: the quality of the disclosure process varies enormously. Some teams responded within hours with acknowledgment and timeline. Others never responded. Some fixed in days, others took months. The maturity of an open source project is also measured by how it handles security reports.
The third lesson, a personal one: doing vulnerability research at scale requires method. I developed a systematic checklist, wrote automation tools to test specific patterns, and documented every report meticulously. It is not random hunting - it is research engineering.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →