excon CVE-2026-54171
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Network-reachable via outbound HTTP; no privileges required on the target; UI:R reflects the application must initiate the redirected request; C:H for full credential/token exposure; no integrity or availability impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Impact
The redirect follower middleware previously failed to strip a number of headers that are known to be sensitive and did not provide a way to provide a custom list of headers to strip.
_What kind of vulnerability is it? Who is impacted?_ This could cause inadvertent leakage of sensitive data for users of the RedirectFollower middleware in cases where the initial request includes header information that is not intended for the new target.
Patches
Patch exists and is released in v1.5.0
Workarounds
Users can backport the fix to a custom redirect follower middleware.
AnalysisAI
Sensitive HTTP header leakage in the excon Ruby gem's RedirectFollower middleware exposes credentials and tokens to unintended redirect destinations. Applications using the RedirectFollower middleware that include headers such as Authorization or API keys in outbound requests will inadvertently forward those headers to the redirect target - which may be attacker-controlled or a third-party service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses the excon Ruby gem with the RedirectFollower middleware explicitly enabled and that the application includes sensitive HTTP headers (such as Authorization, Cookie, X-API-Key, or similar tokens) in its outbound HTTP requests. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N reflects a network-reachable vulnerability with low attack complexity and high confidentiality impact, but requiring some form of user or application interaction (UI:R) to trigger a redirect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application using excon with the RedirectFollower middleware sends a request to an API endpoint with an Authorization header containing a bearer token; the API server responds with a 302 redirect to a URL under attacker control (via SSRF, supply chain compromise of the API, or an open redirect). The unpatched middleware automatically follows the redirect and forwards the original Authorization header to the attacker's server, where the token is harvested and used to access the victim application's account or resources. |
| Remediation | Upgrade the excon gem to v1.5.0 or later, which patches the RedirectFollower middleware to strip sensitive headers before forwarding redirect requests. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-48rx-c7pg-q66r