follow-redirects: Auth Header Leak via Cross-Domain Redirects (1.15.x)
CVE-2026-40895 Published on April 21, 2026
follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2026-40895 has been classified to as an Information Disclosure vulnerability or weakness.
Affected Versions
follow-redirects Version < 1.16.0 is affected by CVE-2026-40895Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.