Sign In

CVE-2026-44979

ADVISORY - github

Summary

Impact

When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the original trust boundary.

Redirect following is opt-in. The redirects option defaults to false (no redirections followed), so applications are only affected if they have explicitly set redirects to a positive integer on the request or via Wreck.defaults({ redirects: ... }).

Patches

@hapi/wreck 18.1.1 extends the cross-hostname strip set to include proxy-authorization. Upgrade to 18.1.1 or later.

Workarounds

If upgrading is not immediately possible:

  • Leave redirects at its default (false) — applications that never enable redirect following are not affected.
  • If redirects are required, set redirects: 0 when calling endpoints with sensitive headers, or strip Proxy-Authorization from the headers before issuing the request.
  • Use the beforeRedirect hook to manually strip proxy-authorization (and any other sensitive application headers) when redirectOptions targets a different hostname than the original request.

Resources

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-522

Insufficiently Protected Credentials

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in