Description
AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.
Published: 2026-04-16
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Immediate Patch
AI Analysis

Impact

AdonisJS HTTP Server versions before 7.8.1 and 8.0.0‑next.0 through 8.1.3, as well as earlier @adonisjs/core releases, accept a Referer header from an incoming HTTP request and redirect the browser to that URL without verifying the target host. This flaw, identified as a CWE‑601 Open Redirect vulnerability, allows an attacker who can set or influence the Referer header to redirect honest users of the application to a malicious site, potentially facilitating phishing or other social‑engineering attacks.

Affected Systems

Any project that uses @adonisjs/http-server through the response.redirect().back() or response.redirect('back') API and runs a vulnerable version is impacted. The vulnerability is present in @adonisjs/http-server prior to 7.8.1 and before 8.2.0, and in @adonisjs/core prior to 7.4.0.

Risk and Exploitability

The CVSS base score is 6.1, indicating a moderate severity. No EPSS value is available, and the issue is not listed in CISA's KEV catalog. The likely attack vector is a remote injection via crafted HTTP requests that supply a malicious Referer header. Attacker control of the Referer header allows malicious redirection of users without requiring authentication or exploit of additional services.

Generated by OpenCVE AI on April 17, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @adonisjs/http-server to version 7.8.1 or later and @adonisjs/core to 7.4.0 or later.
  • If the update cannot be applied immediately, modify the application code to validate that any URL used in response.redirect().back() points to the same domain as the host, rejecting external hosts.
  • After applying the patch or validation change, perform regression tests to confirm that only internal URLs are used and no external redirects occur.
  • Optionally, remove the usage of response.redirect().back() entirely and replace it with a fixed user‑controlled URL to avoid reliance on the Referer header.

Generated by OpenCVE AI on April 17, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6qvv-pj99-48qm @adonisjs/http-server has an Open Redirect vulnerability
History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Adonisjs
Adonisjs http-core
Adonisjs http-server
Vendors & Products Adonisjs
Adonisjs http-core
Adonisjs http-server

Thu, 16 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.
Title @adonisjs/http-server has an Open Redirect vulnerability
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adonisjs Http-core Http-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T18:43:10.697Z

Reserved: 2026-04-10T17:31:45.787Z

Link: CVE-2026-40255

cve-icon Vulnrichment

Updated: 2026-04-17T18:43:07.185Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-16T23:16:33.267

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:24Z

Weaknesses