PT-2026-57370 · Rubygems · Excon

CVE-2026-54171

·

Published

2026-07-10

·

Updated

2026-07-17

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Excon versions prior to 1.5.0
Description The RedirectFollower middleware fails to strip sensitive headers when following redirects and lacks a mechanism to define a custom list of headers to be removed. This behavior can lead to the inadvertent leakage of sensitive data if the initial request contains header information not intended for the redirect target.
Recommendations Update to version 1.5.0. As a temporary workaround, backport the fix to a custom redirect follower middleware.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54171
GHSA-48RX-C7PG-Q66R

Affected Products

Excon