CVE-2026-48022

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Impact

Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. The fix replaces the hostname comparison with a full-origin comparison (scheme, host, and port), aligning the behavior with the WHATWG Fetch same-origin definition used by browsers.

Patches

Upgrade to >= 18.1.2.

Workarounds

Set redirects: 0 (default) and handle redirects manually with a strict origin check.
Use the beforeRedirect hook to inspect the redirect target and abort or strip sensitive headers before the follow-on request.

Fix

Cleartext Transmission of Sensitive Information

Origin Validation Error

Information Disclosure

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319CWE-346CWE-200CWE-522CWE-940

Related Identifiers

CVE-2026-48022

GHSA-X426-X7CC-3FPC

Affected Products

@Hapi/Wreck

CVE-2026-48022

Impact

Patches

Workarounds

Weakness Enumeration

Related Identifiers

Affected Products

References · 4