CVE-2026-54171
Received Received - Intake

Excon HTTP Redirect Header Leakage Vulnerability

Vulnerability report for CVE-2026-54171, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Excon is usable, fast, simple HTTP 1.1 for Ruby. Prior to 1.5.0, Excon's RedirectFollower middleware failed to strip additional sensitive headers when following redirects and did not provide a custom list of headers to strip. This could cause inadvertent leakage of sensitive data when the initial request includes header information that is not intended for the new target. This issue is fixed in version 1.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
excon excon 1.5.0
excon excon to 1.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Excon, a Ruby HTTP library, involves the RedirectFollower middleware failing to remove sensitive headers when following HTTP redirects. Before version 1.5.0, only a few headers like Authorization were stripped, but others such as Cookie, X-API-Key, or X-Session-ID could leak confidential data to unintended destinations during redirects.

Detection Guidance

To detect this vulnerability, check if your Ruby application uses Excon versions prior to 1.5.0. Run: gem list excon. If the version is below 1.5.0, the system is vulnerable. Inspect HTTP redirect handling in your application code for sensitive header leakage during redirects.

Impact Analysis

An attacker could exploit this to intercept sensitive data like authentication tokens, session cookies, or API keys if your application follows redirects with such headers. This could lead to unauthorized access to user accounts or sensitive systems, depending on the leaked data.

Compliance Impact

This vulnerability could violate GDPR by exposing personal data during redirects without proper safeguards. For HIPAA, it may risk leaking protected health information if headers contain such data. Compliance requires ensuring no sensitive headers are forwarded during redirects.

Mitigation Strategies

Upgrade Excon to version 1.5.0 or later using: gem update excon. If upgrading is not possible, implement custom middleware to redact sensitive headers like Cookie, Authorization, and X-API-Key during redirects. Remove any dangerous cookie-setting middleware.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54171. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart