@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port, so credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-x426-x7cc-3fpc | @hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 17 Jul 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | @hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port, so credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2. | |
| Title | @hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects | |
| Weaknesses | CWE-319 CWE-346 CWE-522 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T21:02:05.980Z
Reserved: 2026-05-20T17:44:09.587Z
Link: CVE-2026-48022
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Github GHSA