HTTP Client Utility Vulnerability in Hapi Wreck by Hapi.js
CVE-2026-48022
What is CVE-2026-48022?
Hapi Wreck, an HTTP client utility, has a vulnerability that can lead to the inadvertent exposure of user credentials. Prior to version 18.1.2, Wreck fails to adequately strip credential headers—such as Authorization, Cookie, and Proxy-Authorization—when following cross-origin redirects. This issue arises because the origin check only considers hostnames, neglecting to account for scheme and port differences. As a result, credentials may be forwarded across same-host port changes and from HTTPS to HTTP, facilitating potential attacks by adjacent tenants or network position attackers. They can capture sensitive information like bearer tokens and session cookies, leading to possible impersonation of users on upstream services. This vulnerability has been resolved in version 18.1.2.
Affected Version(s)
wreck < 18.1.2
