Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin.
The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely.
This issue affects hackney: from 3.1.1 before 4.0.1.
AnalysisAI
Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or compromised redirect target to capture Authorization, Cookie, and Proxy-Authorization headers forwarded verbatim by the HTTP/3 redirect handler. The hackney_h3.erl module, introduced for HTTP/3 support, omitted the cross-origin credential-stripping logic (maybe_strip_auth_on_redirect/2) that was added to the main hackney.erl module following CVE-2018-1000007, creating a feature-parity gap exploitable when clients use follow_redirect with HTTP/3 and credential headers. No active exploitation is confirmed (not in CISA KEV), but SSVC assessment confirms a proof-of-concept exists; EPSS is low at 0.04% (13th percentile), consistent with targeted rather than opportunistic exploitation.
Technical ContextAI
hackney is a widely used Erlang HTTP client library maintained by benoitc, identified by CPE cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*. The vulnerability resides in src/hackney_h3.erl, the HTTP/3-specific transport module. CWE-601 (URL Redirection to Untrusted Site) captures the root cause: when handle_redirect processes a 3xx response, it passes the original Headers list directly to do_request_with_redirect without invoking any origin comparison. The main module hackney.erl has carried the same_origin/location_trusted guard since CVE-2018-1000007, but hackney_h3.erl was written without porting that protection. The CVSS 4.0 vector encodes AT:P (Attack Requirements: Present), reflecting that exploitation requires the specific combination of HTTP/3 transport, follow_redirect enabled, and credential headers being present in the outbound request - conditions common in server-to-server API clients but not universal.
RemediationAI
Vendor-released patch: upgrade to hackney 4.0.1 or later. The fix is confirmed in commit c58d5b50bade146360b85caf3dc8065807b08246 (https://github.com/benoitc/hackney/commit/c58d5b50bade146360b85caf3dc8065807b08246), which adds maybe_strip_redirect_headers/4 to hackney_h3.erl performing a same_origin/3 check (comparing scheme, lowercased host, and port) before forwarding headers, and drops Authorization, Cookie, and Proxy-Authorization on cross-origin redirects unless the caller sets location_trusted: true. If an immediate upgrade is not possible, the most effective compensating control is to disable follow_redirect in any HTTP/3 client calls that include credential headers, then implement manual redirect handling with explicit credential stripping before following cross-origin locations - this eliminates the vulnerable code path entirely at the cost of added application logic. Alternatively, restricting outbound HTTP/3 requests to trusted, internally controlled hosts via network policy removes the ability of an attacker-controlled server to issue redirect responses. Setting location_trusted: true is NOT a mitigation - it opts into the vulnerable behavior intentionally and should only be used when the redirect target is fully trusted.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31692
GHSA-h73q-4w9q-82h4