GHSA-48rx-c7pg-q66r

Suggest an improvement
Source
https://github.com/advisories/GHSA-48rx-c7pg-q66r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-48rx-c7pg-q66r/GHSA-48rx-c7pg-q66r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-48rx-c7pg-q66r
Aliases
  • CVE-2026-54171
Downstream
Published
2026-07-10T20:37:29Z
Modified
2026-07-10T20:45:08.410511955Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Excon does not redact additional sensitive/risky headers when following redirects
Details

Impact

The redirect follower middleware previously failed to strip a number of headers that are known to be sensitive and did not provide a way to provide a custom list of headers to strip.

What kind of vulnerability is it? Who is impacted? This could cause inadvertent leakage of sensitive data for users of the RedirectFollower middleware in cases where the initial request includes header information that is not intended for the new target.

Patches

Patch exists and is released in v1.5.0

Workarounds

Users can backport the fix to a custom redirect follower middleware.

Database specific
{
    "github_reviewed": true,
    "cwe_ids": [],
    "nvd_published_at": null,
    "github_reviewed_at": "2026-07-10T20:37:29Z",
    "severity": "MODERATE"
}
References

Affected packages

RubyGems / excon

Package

Name
excon
Purl
pkg:gem/excon

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.0

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.7
0.0.8
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.6
0.2.7
0.2.8
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.4.0
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.7.11
0.7.12
0.8.0
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.10.0
0.10.1
0.11.0
0.12.0
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.14.0
0.14.1
0.14.2
0.14.3
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.7
0.16.8
0.16.9
0.16.10
0.17.0
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.18.5
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.20.0
0.20.1
0.21.0
0.22.0
0.22.1
0.23.0
0.24.0
0.25.0
0.25.1
0.25.2
0.25.3
0.26.0
0.27.0
0.27.1
0.27.2
0.27.3
0.27.4
0.27.5
0.27.6
0.28.0
0.29.0
0.30.0
0.31.0
0.32.0
0.32.1
0.33.0
0.34.0
0.35.0
0.36.0
0.37.0
0.38.0
0.39.0
0.39.1
0.39.2
0.39.3
0.39.4
0.39.5
0.39.6
0.40.0
0.41.0
0.42.0
0.42.1
0.43.0
0.44.0
0.44.1
0.44.2
0.44.3
0.44.4
0.45.0
0.45.1
0.45.2
0.45.3
0.45.4
0.46.0
0.47.0
0.48.0
0.49.0
0.50.0
0.50.1
0.51.0
0.52.0
0.53.0
0.54.0
0.55.0
0.56.0
0.57.0
0.57.1
0.58.0
0.59.0
0.60.0
0.61.0
0.62.0
0.63.0
0.64.0
0.65.0
0.66.0
0.67.0
0.68.0
0.69.0
0.69.1
0.70.0
0.71.0
0.71.1
0.72.0
0.73.0
0.74.0
0.75.0
0.76.0
0.78.0
0.78.1
0.79.0
0.80.0
0.80.1
0.81.0
0.82.0
0.83.0
0.84.0
0.85.0
0.86.0
0.87.0
0.88.0
0.89.0
0.90.0
0.91.0
0.92.0
0.92.1
0.92.2
0.92.3
0.92.4
0.92.5
0.93.0
0.93.1
0.94.0
0.95.0
0.96.0
0.97.0
0.97.1
0.97.2
0.98.0
0.99.0
0.100.0
0.101.0
0.102.0
0.103.0
0.104.0
0.105.0
0.106.0
0.107.0
0.108.0
0.109.0
0.110.0
0.111.0
0.112.0
1.*
1.0.0
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-48rx-c7pg-q66r/GHSA-48rx-c7pg-q66r.json"