CVE-2026-40895
Modified Modified - Updated After Analysis

Authorization Header Exposure in follow-redirects Before

Vulnerability report for CVE-2026-40895, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-21

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-21
Last Modified
2026-07-01
Generated
2026-07-06
AI Q&A
2026-04-22
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
follow-redirects_project follow-redirects to 1.16.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-212 The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to the leakage of sensitive authentication credentials to unintended third-party domains during HTTP redirects. If an attacker controls or monitors the redirect target, they could capture custom authentication headers and potentially gain unauthorized access to protected resources or services. This increases the risk of data breaches and unauthorized actions performed on behalf of the user or application.

Executive Summary

The vulnerability exists in the follow-redirects library prior to version 1.16.0. When an HTTP request follows a cross-domain redirect (such as 301, 302, 307, or 308 status codes), the library only removes standard sensitive headers like authorization, proxy-authorization, and cookie headers. However, it fails to remove any custom authentication headers (for example, X-API-Key, X-Auth-Token, Api-Key, Token), which are forwarded unchanged to the redirect target. This could unintentionally expose sensitive authentication information to unintended domains.

Mitigation Strategies

To mitigate this vulnerability, upgrade the follow-redirects package to version 1.16.0 or later, where the issue is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart