Postman Security Update: Fixing a URL Exposure Risk in ‘Related Requests’

Sam Chehab

June 17, 2025

At Postman, security is a continuous, proactive process. As we recently wrote about, we build, test, and strengthen our platform daily to earn your trust. Our response to a finding in the “Related Requests” feature is a perfect example of our secure-by-design philosophy at work. We introduced this feature to improve API discovery by suggesting similar requests from the Public API Network based on the structure of a user’s request URL.

We identified a potential vulnerability in the design of this feature. By fully resolving URLs before sending them to our backend services, we could inadvertently resolve and send sensitive information embedded within the URL itself. While it’s best practice to never include sensitive information in URLs, legacy apps sometimes still do which could exacerbate the risk.

Our process was methodical:

1. Proactive Discovery: During our standard security review processes, our team identified that the feature, launched in 2024, could transmit full URLs including sensitive variables that would be included.
2. Immediate Investigation: We verified that no sensitive data was stored by our systems.
3. Decisive Action: We immediately disabled the feature globally and re-engineered it to use only the URL hostname, permanently removing the risk.
4. Secure Deployment: A patched, secure version was rolled out (v11.46.5 for Free, Basic, Professional & v11.47.3 for Enterprise), and the feature was re-enabled only for users on these updated versions.

This cycle of continuous improvement is core to our mission. For maximum protection, we encourage all users to manage sensitive information with tools like Postman Vault.

If you have any questions, please feel free to submit a support request, and a member of our team will get back to you. We always welcome your feedback and ideas through either our bug bounty program or via email.

Sam Chehab, Head of Information Security and IT, Postman