CVE-2026-40895
follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
| CWE | CWE-200 |
| Vendor | follow-redirects |
| Product | follow-redirects |
| Published | Apr 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for follow-redirects follow-redirects
Be the first to know when new unknown vulnerabilities affecting follow-redirects follow-redirects are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
follow-redirects / follow-redirects
< 1.16.0