CVE-2026-40895
Received Received - Intake
Authorization Header Exposure in follow-redirects Before

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40895
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
follow-redirects_project follow-redirects to 1.16.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to the leakage of sensitive authentication credentials to unintended third-party domains during HTTP redirects. If an attacker controls or monitors the redirect target, they could capture custom authentication headers and potentially gain unauthorized access to protected resources or services. This increases the risk of data breaches and unauthorized actions performed on behalf of the user or application.

Executive Summary

The vulnerability exists in the follow-redirects library prior to version 1.16.0. When an HTTP request follows a cross-domain redirect (such as 301, 302, 307, or 308 status codes), the library only removes standard sensitive headers like authorization, proxy-authorization, and cookie headers. However, it fails to remove any custom authentication headers (for example, X-API-Key, X-Auth-Token, Api-Key, Token), which are forwarded unchanged to the redirect target. This could unintentionally expose sensitive authentication information to unintended domains.

Mitigation Strategies

To mitigate this vulnerability, upgrade the follow-redirects package to version 1.16.0 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart