Description
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
Published: 2026-04-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of authentication credentials
Action: Patch
AI Analysis

Impact

Prior to version 1.16.0, the follow-redirects library forwarded any custom authentication headers, such as X-API-Key or X-Auth-Token, when an HTTP request was automatically redirected across domain boundaries. This behavior allowed the original credentials to be transmitted to a third‑party site. The vulnerability is an information‑exposure flaw that could enable an attacker to discover values that were intended for a different service domain. The weakness is mapped to CWE-200 (Information Exposure) and CWE-212 (Missing Encryption of Credentials).

Affected Systems

Any Node.js application that imports the follow-redirects package with a version earlier than 1.16.0 is affected. The package was updated in 1.16.0 to remove the forwarding of custom authentication headers on cross‑domain redirects. Applications should verify the installed package version or upgrade to the latest release to prevent the unintended leakage.

Risk and Exploitability

The CVSS score of 6.9 classifies this vulnerability as medium severity. The EPSS score of < 1% indicates a very low statistical probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an HTTP request that triggers a cross‑domain redirect, which can potentially be crafted by an attacker who can influence the URL requested by the application or by an attacker who can run code that uses the library. Based on the description, exploitation is relatively straightforward for code that can cause such redirects, but it requires the attacker to be able to influence or substitute the request URL.

Generated by OpenCVE AI on April 29, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the follow-redirects package to version 1.16.0 or later so that custom authentication headers are no longer forwarded on cross‑domain redirects.
  • Review application logic to ensure that requests containing sensitive authentication headers are not directed to external domains, or remove those headers before such requests are made.
  • Consider applying network monitoring or WAF rules that flag unexpected cross‑domain redirects that carry authentication header values, allowing rapid detection of misuse.

Generated by OpenCVE AI on April 29, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-212
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 23 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Follow-redirects Project
Follow-redirects Project follow-redirects
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:*
Vendors & Products Follow-redirects Project
Follow-redirects Project follow-redirects
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Follow-redirects
Follow-redirects follow Redirects
Vendors & Products Follow-redirects
Follow-redirects follow Redirects

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
Title follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Follow-redirects Follow Redirects
Follow-redirects Project Follow-redirects
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:31:34.652Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40895

cve-icon Vulnrichment

Updated: 2026-04-22T13:31:23.606Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:44.337

Modified: 2026-04-23T15:54:31.857

Link: CVE-2026-40895

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T19:59:59Z

Links: CVE-2026-40895 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:30:16Z

Weaknesses