@hapi/wreck CVE-2026-44979
MEDIUM
GHSA-vhjm-w67q-g75c
Lifecycle Timeline
2DescriptionNVD
Impact
When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the original trust boundary.
Redirect following is opt-in. The redirects option defaults to false (no redirections followed), so applications are only affected if they have explicitly set redirects to a positive integer on the request or via Wreck.defaults({ redirects: ... }).
Patches
@hapi/wreck 18.1.1 extends the cross-hostname strip set to include proxy-authorization. Upgrade to 18.1.1 or later.
Workarounds
If upgrading is not immediately possible:
- Leave redirects at its default (
false) - applications that never enable redirect following are not affected. - If redirects are required, set redirects: 0 when calling endpoints with sensitive headers, or strip Proxy-Authorization from the headers before issuing the request.
- Use the
beforeRedirecthook to manually strip proxy-authorization (and any other sensitive application headers) whenredirectOptionstargets a different hostname than the original request.
Resources
- Related: CVE-2024-30260 / GHSA-3787-6prv-h9w3 (undici)
- RFC 7235 §4.4 - Proxy-Authorization
AnalysisAI
Proxy-Authorization header leakage in @hapi/wreck exposes forward-proxy credentials when redirect following is enabled and a 3xx response targets a different hostname. Prior to version 18.1.1, only Authorization and Cookie headers were stripped on cross-hostname redirects; the Proxy-Authorization header was forwarded intact to the redirect target, which may be an untrusted host outside the original trust boundary. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today