| Name | CVE-2026-40895 |
| Description | follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1134646 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-follow-redirects (PTS) | bullseye | 1.13.1-1+deb11u1 | vulnerable |
| bookworm | 1.15.2+~1.14.1-1 | vulnerable | |
| trixie | 1.15.9+~1.14.4-1 | vulnerable | |
| forky, sid | 1.15.11+~1.14.4-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-follow-redirects | source | (unstable) | (unfixed) | 1134646 |
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653
https://github.com/follow-redirects/follow-redirects/pull/284
https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9 (v1.16.0)