Cross-Domain Redirect Vulnerability in Follow-Redirects for Node.js
CVE-2026-40895

6.9MEDIUM

Key Information:

Vendor: Follow-redirects
Status: Follow-redirects
Vendor: CVE Published:; 21 April 2026

🔔 Create Follow-redirects Vulnerability Alert

What is CVE-2026-40895?

The Follow-Redirects library, designed to simplify HTTP requests in Node.js by automatically navigating redirects, has a flaw that impacts security. Specifically, in versions prior to 1.16.0, the library fails to adequately handle custom authentication headers during cross-domain redirects. While it strips standard authorization, proxy-authorization, and cookie headers, any custom headers, such as X-API-Key or X-Auth-Token, are sent unaltered to the redirect target. This oversight exposes users to potential unauthorized access as sensitive information may be inadvertently leaked to untrusted sites. Updating to version 1.16.0 addresses this critical issue.

Affected Version(s)

follow-redirects < 1.16.0

References

https://github.com/follow-redirects/follow-redirects/secu...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40895 Data

JSON