CVE-2026-40255

Name of the Vulnerable Software and Affected Versions @adonisjs/http-server versions prior to 7.8.1 @adonisjs/http-server versions 8.0.0-next.0 through 8.1.3 @adonisjs/core versions prior to 7.4.0

Description The response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host. An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all applications using response.redirect().back() or response.redirect('back').

Recommendations Update @adonisjs/http-server to version 7.8.1 or later. Update @adonisjs/http-server to version 8.2.0 or later. Update @adonisjs/core to version 7.4.0 or later. As a temporary workaround, avoid using the response.redirect().back() method in routes reachable by unauthenticated users or external traffic, and instead use response.redirect().toPath() to redirect to a known safe path. Configure additional trusted hosts via the redirect.allowedHosts option in config/app.ts for applications operating across multiple domains.