Skip to main content

@hapi/wreck CVE-2026-48022

MEDIUM
Information Exposure (CWE-200)
2026-06-11 https://github.com/hapijs/wreck GHSA-x426-x7cc-3fpc
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

AC:H reflects the attacker must control an adjacent port or forge a redirect; UI:N because exploitation is fully automated in server-side client code without human interaction.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 13:57 vuln.today
Analysis Generated
Jun 11, 2026 - 13:57 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 952 npm packages depend on @hapi/wreck (20 direct, 935 indirect)

Ecosystem-wide dependent count for version 18.1.2.

DescriptionGitHub Advisory

Impact

Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. The fix replaces the hostname comparison with a full-origin comparison (scheme, host, and port), aligning the behavior with the WHATWG Fetch same-origin definition used by browsers.

Patches

Upgrade to >= 18.1.2.

Workarounds

  • Set redirects: 0 (default) and handle redirects manually with a strict origin check.
  • Use the beforeRedirect hook to inspect the redirect target and abort or strip sensitive headers before the follow-on request.

AnalysisAI

Credential header leakage in @hapi/wreck (npm) versions before 18.1.2 allows an attacker controlling an adjacent port on the same hostname, or capable of forging a redirect response, to capture Authorization, Cookie, and Proxy-Authorization headers from Node.js HTTP client applications. The library's redirect-following logic stripped credential headers only on hostname changes, leaving scheme and port components unchecked - so same-host redirects across ports (e.g., :443 → :8080) and HTTPS-to-HTTP downgrades forwarded credentials intact to the redirect target. No public exploit identified at time of analysis and not listed in CISA KEV, but the patch commit and test cases are publicly available in the GHSA advisory.

Technical ContextAI

The affected library is @hapi/wreck (pkg:npm/@hapi/wreck), a Node.js HTTP client widely used in the hapi.js ecosystem for server-side HTTP requests. The root cause maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the redirect-following code in lib/index.js used the comparison uri.hostname !== parsedLocation.hostname to determine whether a redirect crossed an origin boundary, but the WHATWG Fetch specification defines a same-origin check as the tuple (scheme, host, port). By comparing only the hostname label, the guard was bypassed whenever a redirect changed only the port or scheme component. The single-line fix in commit b93323b63ad3adb14d2b4019d77219182211641e replaces uri.hostname with uri.origin, aligning the library with browser-standard origin semantics. Node.js URL objects expose an origin property that concatenates scheme, host, and port, making this a minimal and correct fix.

RemediationAI

Vendor-released patch: upgrade @hapi/wreck to version 18.1.2 or later via npm install @hapi/wreck@>=18.1.2. The fix is documented in GHSA-x426-x7cc-3fpc (https://github.com/hapijs/wreck/security/advisories/GHSA-x426-x7cc-3fpc) and patch commit b93323b63ad3adb14d2b4019d77219182211641e. If an immediate upgrade is blocked, two workarounds are available with different trade-offs: first, ensure redirects: 0 is set (this is already the default) and implement manual redirect handling with an explicit full-origin comparison - this eliminates the risk entirely but requires custom redirect logic in calling code; second, use the beforeRedirect hook provided by Wreck to inspect each redirect target's URL, comparing scheme, host, and port against the original request origin, and either strip Authorization, Cookie, and Proxy-Authorization headers or abort the request when a cross-origin redirect is detected. The hook-based approach preserves automatic redirect following but adds complexity and risk of misconfiguration. Neither workaround requires a package update.

Share

CVE-2026-48022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy