CVE-2026-40895

7.5 HIGH
Published: April 21, 2026 Modified: July 01, 2026
View on NVD

Description

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653
Source: security-advisories@github.com
Mitigation Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:13826
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:14937
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:16476
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:16532
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:16534
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:16535
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:16542
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:16874
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:17657
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:17699
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:17789
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:19109
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:19375
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:19712
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:20889
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:20938
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:21017
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:21338
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:21772
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:22465
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:22629
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:22840
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:23361
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:24536
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:24539
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:24766
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:24853
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:24977
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:25271
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:25273
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:26010
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:27004
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:27044
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/errata/RHSA-2026:27063
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://access.redhat.com/security/cve/CVE-2026-40895
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
https://bugzilla.redhat.com/show_bug.cgi?id=2460297
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c

38 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.5%
38th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

Affected Vendors

follow-redirects_project