< v2.8.5 leaks the
Authorization header after a redirect to a different port on the same site.
Upgrade to Mechanize v2.8.5 or later.
See https://curl.se/docs/CVE-2022-27776.html for a similar vulnerability in curl.
Cookies are shared with a server at a different port on the same site, per https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part: