CVE-2026-40895— follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets

follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

N/A

信息暴露

Follow Redirects 信息泄露漏洞

Follow Redirects是follow-redirects开源的一个自动遵循 Http(s) 重定向的 Node.js 模块。 Follow Redirects 1.16.0之前版本存在信息泄露漏洞，该漏洞源于HTTP请求遵循跨域重定向时，仅剥离授权、代理授权和Cookie标头，可能导致自定义身份验证标头被转发到重定向目标。

N/A

N/A