Unvalidated Redirects in AdonisJS HTTP Server Package
CVE-2026-40255

6.1MEDIUM

Key Information:

Vendor

Adonisjs

Status
Http-server
Http-core
Vendor
CVE Published:
16 April 2026

What is CVE-2026-40255?

The AdonisJS HTTP Server package contains a vulnerability that allows an attacker to exploit the response.redirect().back() method. In the affected versions, this method reads the Referer header from incoming HTTP requests and redirects users without validating the host. If an attacker manipulates the Referer header, they can redirect users to a malicious external site, potentially leading to phishing or other attacks. This vulnerability impacts all AdonisJS applications utilizing the outdated redirect methods, making them susceptible to unauthorized redirections. The issue has been resolved in later versions.

Affected Version(s)

http-core < 7.4.0

http-server >= 8.0.0-next.0, < 8.2.0 < 8.0.0-next.0, 8.2.0

http-server < 7.8.1 < 7.8.1

References

https://github.com/adonisjs/http-server/security/advisori...
x_refsource_CONFIRM
https://github.com/adonisjs/http-server/commit/2008fb6cf4...
x_refsource_MISC
https://github.com/adonisjs/http-server/releases/tag/v7.8.1
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.