PT-2026-43631 · Npm+1 · @Hapi/Wreck+1
CVE-2026-44979
·
Published
2026-05-27
·
Updated
2026-07-18
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
@hapi/wreck versions prior to 18.1.1
Description
When following a 3xx redirect to a different hostname, the utility only strips the
Authorization and Cookie headers. The Proxy-Authorization credential header is forwarded intact to the redirect target, which may expose forward-proxy credentials to a host outside the original trust boundary. This occurs when redirects are enabled via the redirects option or through Wreck.defaults({ redirects: ... }).Recommendations
Update to version 18.1.1 or later.
Leave the
redirects option at its default value of false.
Set redirects to 0 when calling endpoints with sensitive headers.
Strip Proxy-Authorization from the headers before issuing the request.
Use the beforeRedirect hook to manually strip Proxy-Authorization and other sensitive headers when the target hostname differs from the original request.Fix
Insufficiently Protected Credentials
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Hapi/Wreck
Wreck