@hapi/wreck CVE-2026-48022
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
AC:H reflects the attacker must control an adjacent port or forge a redirect; UI:N because exploitation is fully automated in server-side client code without human interaction.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 952 npm packages depend on @hapi/wreck (20 direct, 935 indirect)
Ecosystem-wide dependent count for version 18.1.2.
DescriptionGitHub Advisory
Impact
Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. The fix replaces the hostname comparison with a full-origin comparison (scheme, host, and port), aligning the behavior with the WHATWG Fetch same-origin definition used by browsers.
Patches
Upgrade to >= 18.1.2.
Workarounds
- Set
redirects: 0(default) and handle redirects manually with a strict origin check. - Use the
beforeRedirecthook to inspect the redirect target and abort or strip sensitive headers before the follow-on request.
AnalysisAI
Credential header leakage in @hapi/wreck (npm) versions before 18.1.2 allows an attacker controlling an adjacent port on the same hostname, or capable of forging a redirect response, to capture Authorization, Cookie, and Proxy-Authorization headers from Node.js HTTP client applications. The library's redirect-following logic stripped credential headers only on hostname changes, leaving scheme and port components unchecked - so same-host redirects across ports (e.g., :443 → :8080) and HTTPS-to-HTTP downgrades forwarded credentials intact to the redirect target. No public exploit identified at time of analysis and not listed in CISA KEV, but the patch commit and test cases are publicly available in the GHSA advisory.
Technical ContextAI
The affected library is @hapi/wreck (pkg:npm/@hapi/wreck), a Node.js HTTP client widely used in the hapi.js ecosystem for server-side HTTP requests. The root cause maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the redirect-following code in lib/index.js used the comparison uri.hostname !== parsedLocation.hostname to determine whether a redirect crossed an origin boundary, but the WHATWG Fetch specification defines a same-origin check as the tuple (scheme, host, port). By comparing only the hostname label, the guard was bypassed whenever a redirect changed only the port or scheme component. The single-line fix in commit b93323b63ad3adb14d2b4019d77219182211641e replaces uri.hostname with uri.origin, aligning the library with browser-standard origin semantics. Node.js URL objects expose an origin property that concatenates scheme, host, and port, making this a minimal and correct fix.
RemediationAI
Vendor-released patch: upgrade @hapi/wreck to version 18.1.2 or later via npm install @hapi/wreck@>=18.1.2. The fix is documented in GHSA-x426-x7cc-3fpc (https://github.com/hapijs/wreck/security/advisories/GHSA-x426-x7cc-3fpc) and patch commit b93323b63ad3adb14d2b4019d77219182211641e. If an immediate upgrade is blocked, two workarounds are available with different trade-offs: first, ensure redirects: 0 is set (this is already the default) and implement manual redirect handling with an explicit full-origin comparison - this eliminates the risk entirely but requires custom redirect logic in calling code; second, use the beforeRedirect hook provided by Wreck to inspect each redirect target's URL, comparing scheme, host, and port against the original request origin, and either strip Authorization, Cookie, and Proxy-Authorization headers or abort the request when a cross-origin redirect is detected. The hook-based approach preserves automatic redirect following but adds complexity and risk of misconfiguration. Neither workaround requires a package update.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x426-x7cc-3fpc