CVE-2026-44979
Received Received - Intake

Proxy-Authorization Header Exposure in @hapi/wreck

Vulnerability report for CVE-2026-44979, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

@hapi/wreck is an HTTP client utility. Prior to 18.1.1, when @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped, and the standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the original trust boundary when redirects are enabled through the redirects option or Wreck.defaults({ redirects: ... }). This issue is fixed in version 18.1.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hapi wreck to 18.1.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects @hapi/wreck, an HTTP client utility. When following a 3xx redirect to a different hostname, the Proxy-Authorization header containing forward-proxy credentials is not stripped and is forwarded to the redirect target. This could expose credentials to untrusted hosts if redirects are enabled.

Detection Guidance

This vulnerability can be detected by checking the version of @hapi/wreck in use. If the version is below 18.1.1, the system is vulnerable. Commands to check the version include: npm list @hapi/wreck for Node.js projects or inspecting package.json dependencies.

Impact Analysis

If you use @hapi/wreck with redirects enabled and follow redirects to different hostnames, an attacker could intercept forwarded Proxy-Authorization headers containing your proxy credentials. This may allow unauthorized access to proxy resources or network services.

Compliance Impact

This vulnerability could potentially expose credentials during redirects, which may violate data protection requirements under GDPR or HIPAA if sensitive data is transmitted insecurely. However, the CVE does not explicitly link this issue to compliance violations.

Mitigation Strategies

Update @hapi/wreck to version 18.1.1 or later to fix the vulnerability. Disable redirects if not required or validate redirect targets strictly to prevent exposure of Proxy-Authorization headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart