CVE-2026-40255
Received Received - Intake
Open Redirect in AdonisJS HTTP Server via Unvalidated Referer Header

Publication date: 2026-04-16

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40255
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
adonisjs http-server to 7.8.1 (exc)
adonisjs http-server From 8.0.0 (exc) to 8.1.3 (inc)
adonisjs core to 7.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the AdonisJS HTTP Server package and the AdonisJS core package in certain versions prior to their fixed releases. The issue occurs because the response.redirect().back() method reads the Referer header from incoming HTTP requests and redirects users to that URL without validating the host.

An attacker who can manipulate the Referer header can exploit this behavior to redirect users to malicious external websites. This means that any AdonisJS application using response.redirect().back() or response.redirect('back') in the affected versions is vulnerable to such an attack.

Impact Analysis

The vulnerability can lead to users being redirected to malicious external sites controlled by an attacker. This can result in phishing attacks, malware distribution, or other malicious activities that compromise user security and trust.

Since the redirect happens without validating the host, users may unknowingly visit harmful sites, potentially leading to credential theft or other security breaches.

Mitigation Strategies

To mitigate this vulnerability, upgrade the affected packages to the fixed versions.

  • Upgrade @adonisjs/http-server to version 7.8.1 or later, or 8.2.0 or later.
  • Upgrade @adonisjs/core to version 7.4.0 or later.

These updates fix the issue by validating the Referer header before redirecting, preventing malicious external redirects.

Compliance Impact

The vulnerability allows an attacker to manipulate the Referer header to cause the application to redirect users to malicious external sites. This can lead to phishing or other malicious activities that compromise user security and privacy.

Such behavior may impact compliance with standards and regulations like GDPR and HIPAA, which require protecting user data and ensuring secure handling of user interactions to prevent unauthorized data exposure or redirection to harmful sites.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40255. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart