๐Ÿ” CVE Alert

CVE-2026-48022

MEDIUM 6.5

@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port, so credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.

CWE CWE-319 CWE-346 CWE-522
Vendor hapijs
Product wreck
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for hapijs wreck

Be the first to know when new medium vulnerabilities affecting hapijs wreck are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

hapijs / wreck
< 18.1.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/hapijs/wreck/security/advisories/GHSA-x426-x7cc-3fpc github.com: https://github.com/hapijs/wreck/pull/313 github.com: https://github.com/hapijs/wreck/commit/b93323b63ad3adb14d2b4019d77219182211641e github.com: https://github.com/hapijs/wreck/releases/tag/v18.1.2