CVE-2026-40895

EUVD-2026-24472

21.04.2026, 21:16

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
follow-redirects_project	follow-redirects	𝑥 < 1.16.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-follow-redirects

bookworm	no-dsa
bullseye	postponed
forky	1.16.0+~1.14.4-2 fixed
sid	1.16.0+~1.14.4-2 fixed
trixie	no-dsa

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Vulnerability Media Exposure

References

https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653