๐Ÿ” CVE Alert

CVE-2026-44979

UNKNOWN 0.0

@hapi/wreck : Sensitive `Proxy-Authorization` header leaked across cross-hostname redirects

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

@hapi/wreck is an HTTP client utility. Prior to 18.1.1, when @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped, and the standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the original trust boundary when redirects are enabled through the redirects option or Wreck.defaults({ redirects: ... }). This issue is fixed in version 18.1.1.

CWE CWE-200 CWE-522
Vendor hapijs
Product wreck
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for hapijs wreck

Be the first to know when new unknown vulnerabilities affecting hapijs wreck are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

hapijs / wreck
< 18.1.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/hapijs/wreck/security/advisories/GHSA-vhjm-w67q-g75c github.com: https://github.com/hapijs/wreck/pull/312 github.com: https://github.com/hapijs/wreck/commit/a5b6fac9c684621c1d5733d10a0257697cfea373 github.com: https://github.com/hapijs/wreck/releases/tag/v18.1.1