Skip to main content

Follow Redirects

3 CVEs product

Monthly

CVE-2026-40895 npm MEDIUM PATCH This Month

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

Information Disclosure Follow Redirects
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2024-28849 npm MEDIUM POC PATCH This Month

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Follow Redirects
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2023-26159 npm HIGH POC PATCH This Week

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Follow Redirects
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

Information Disclosure Follow Redirects
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Follow Redirects
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Follow Redirects
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy