CVE-2026-44979
@hapi/wreck : Sensitive `Proxy-Authorization` header leaked across cross-hostname redirects
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
@hapi/wreck is an HTTP client utility. Prior to 18.1.1, when @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped, and the standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the original trust boundary when redirects are enabled through the redirects option or Wreck.defaults({ redirects: ... }). This issue is fixed in version 18.1.1.
| CWE | CWE-200 CWE-522 |
| Vendor | hapijs |
| Product | wreck |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for hapijs wreck
Be the first to know when new unknown vulnerabilities affecting hapijs wreck are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
hapijs / wreck
< 18.1.1