[From nobody Fri Apr 24 13:07:05 2026 Received: (at submit) by bugs.debian.org; 22 Apr 2026 15:54:57 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-4.9 required=4.0 tests=BAYES_00, FOURLA, MD5_SHA1_SUM, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 150; neutral, 49; spammy, 0. spammytokens: hammytokens:0.000-+--UD:security-tracker.debian.org, 0.000-+--security-tracker.debian.org, 0.000-+--securitytrackerdebianorg, 0.000-+--H*r:jmm, 0.000-+--sk:team@se Return-path: <jmm@inutil.org> Received: from inutil.org ([51.38.114.215]:45454 helo=vps-b7ad3695.vps.ovh.net) by buxtehude.debian.org with esmtp (Exim 4.96) (envelope-from <jmm@inutil.org>) id 1wFZui-00AQDc-0c for submit@bugs.debian.org; Wed, 22 Apr 2026 15:54:57 +0000 Received: from soju.westfalen.local (p548dc5fc.dip0.t-ipconnect.de [84.141.197.252]) by vps-b7ad3695.vps.ovh.net (Postfix) with ESMTPSA id 3268B164 for <submit@bugs.debian.org>; Wed, 22 Apr 2026 15:54:55 +0000 (UTC) Received: from jmm by soju.westfalen.local with local (Exim 4.99.1) (envelope-from <jmm@soju.westfalen.local>) id 1wFZuc-00000002pkA-2uTx for submit@bugs.debian.org; Wed, 22 Apr 2026 17:54:50 +0200 Date: Wed, 22 Apr 2026 17:54:50 +0200 To: submit@bugs.debian.org Subject: node-follow-redirects: CVE-2026-40895 Message-ID: <aejvSi7LemZ8-Srk@pisco.westfalen.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org> Delivered-To: submit@bugs.debian.org Source: node-follow-redirects X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-follow-redirects. CVE-2026-40895[0]: | follow-redirects is an open source, drop-in replacement for Node's | `http` and `https` modules that automatically follows redirects. | Prior to 1.16.0, when an HTTP request follows a cross-domain | redirect (301/302/307/308), follow-redirects only strips | authorization, proxy-authorization, and cookie headers (matched by | regex at index.js). Any custom authentication header (e.g., X-API- | Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the | redirect target. This vulnerability is fixed in 1.16.0. https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653 https://github.com/follow-redirects/follow-redirects/pull/284 https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9 (v1.16.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-40895 https://www.cve.org/CVERecord?id=CVE-2026-40895 Please adjust the affected versions in the BTS as needed. ]