[Pkg-javascript-devel] Bug#1134646: node-follow-redirects: CVE-2026-40895
Moritz Mühlenhoff
jmm at inutil.org
Wed Apr 22 16:54:50 BST 2026
Source: node-follow-redirects
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-follow-redirects.
CVE-2026-40895[0]:
| follow-redirects is an open source, drop-in replacement for Node's
| `http` and `https` modules that automatically follows redirects.
| Prior to 1.16.0, when an HTTP request follows a cross-domain
| redirect (301/302/307/308), follow-redirects only strips
| authorization, proxy-authorization, and cookie headers (matched by
| regex at index.js). Any custom authentication header (e.g., X-API-
| Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the
| redirect target. This vulnerability is fixed in 1.16.0.
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653
https://github.com/follow-redirects/follow-redirects/pull/284
https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9 (v1.16.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40895
https://www.cve.org/CVERecord?id=CVE-2026-40895
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list