GHSA-x426-x7cc-3fpcMediumCVSS 6.5

@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects

Published
June 11, 2026
Last Modified
June 11, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. The fix replaces the hostname comparison with a full-origin comparison (scheme, host, and port), aligning the behavior with the WHATWG Fetch same-origin definition used by browsers.

Patches

Upgrade to >= 18.1.2.

Workarounds

  • Set redirects: 0 (default) and handle redirects manually with a strict origin check.
  • Use the beforeRedirect hook to inspect the redirect target and abort or strip sensitive headers before the follow-on request.

🎯 Affected products1

  • npm/@hapi/wreck:< 18.1.2

🔗 References (3)