GHSA-x426-x7cc-3fpc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x426-x7cc-3fpc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-x426-x7cc-3fpc/GHSA-x426-x7cc-3fpc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x426-x7cc-3fpc
- Aliases
-
- CVE-2026-48022
- Published
- 2026-06-11T13:27:05Z
- Modified
- 2026-06-11T13:30:23.883952048Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- @hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
- Details
-
Impact
Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. The fix replaces the hostname comparison with a full-origin comparison (scheme, host, and port), aligning the behavior with the WHATWG Fetch same-origin definition used by browsers.
Patches
Upgrade to >= 18.1.2.
Workarounds
- Set
redirects: 0(default) and handle redirects manually with a strict origin check. - Use the
beforeRedirecthook to inspect the redirect target and abort or strip sensitive headers before the follow-on request.
- Set
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-200", "CWE-319", "CWE-346", "CWE-522", "CWE-940" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-06-11T13:27:05Z" }- References
Affected packages
npm / @hapi/wreck
Package
- Name
- @hapi/wreck
- View open source insights on deps.dev
- Purl
- pkg:npm/%40hapi%2Fwreck