Description
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
Published: 2026-04-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of authentication credentials
Action: Immediate Patch
AI Analysis

Impact

Prior to version 1.16.0, the follow-redirects library forwarded custom authentication headers such as X-API-Key or X-Auth-Token when following cross‑domain redirects (301/302/307/308). These headers were not stripped, allowing an attacker to capture the credentials that were intended for the original target. The primary impact is the unauthorized disclosure of authentication credentials, which could enable an attacker to gain elevated access to downstream services. The weakness is classified as CWE‑200.

Affected Systems

Any Node.js application that uses the follow‑redirects package, version 1.15.x or earlier, is affected. The vulnerability is mitigated in releases 1.16.0 and later. Applications should verify the installed package version or upgrade to the current release to remove the behavior.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity risk. Because the exploit requires only an HTTP request that triggers a cross‑domain redirect, it is relatively easy to execute from remote or local code that uses the library. The EPSS score is not available, but the lack of listing in the CISA KEV catalog suggests no widespread active exploits have been observed yet. Nevertheless, the potential for credential leakage makes it prudent to address promptly, especially in environments that expose sensitive API keys or tokens.

Generated by OpenCVE AI on April 22, 2026 at 06:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the follow‑redirects package to version 1.16.0 or later to ensure custom authentication headers are stripped from cross‑domain redirects.
  • Audit application code to identify any transmissions of custom authentication headers on requests that may trigger cross‑domain redirects, and either remove those headers or restructure the request logic so that sensitive headers are not sent to external domains.
  • Implement network monitoring or WAF rules to detect unexpected cross‑domain redirects that include authentication headers, enabling rapid identification of potential abuse.

Generated by OpenCVE AI on April 22, 2026 at 06:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Follow-redirects
Follow-redirects follow Redirects
Vendors & Products Follow-redirects
Follow-redirects follow Redirects

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
Title follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Follow-redirects Follow Redirects
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:31:34.652Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40895

cve-icon Vulnrichment

Updated: 2026-04-22T13:31:23.606Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:44.337

Modified: 2026-04-21T21:16:44.337

Link: CVE-2026-40895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:45:10Z

Weaknesses