Platform
nodejs
Component
follow-redirects
Fixed in
1.16.1
CVE-2026-40895 is a header leak vulnerability discovered in the follow-redirects Node.js module. This vulnerability allows attackers to potentially expose sensitive authentication headers when a request follows a cross-domain redirect. Versions 0.0.0 through 1.15.9 are affected, and the vulnerability is resolved in version 1.16.0.
The core impact of CVE-2026-40895 lies in the unintentional exposure of custom authentication headers. When a request is redirected to a different domain, follow-redirects versions prior to 1.16.0 fail to properly sanitize all headers. Specifically, headers beyond the standard authorization, proxy-authorization, and cookie are passed verbatim to the redirect target. This means that custom headers like X-API-Key, X-Auth-Token, or Api-Key could be inadvertently leaked to unintended third-party servers. An attacker controlling the redirect target could then harvest these credentials and use them to gain unauthorized access to systems or data protected by those authentication mechanisms. The blast radius depends on the sensitivity of the exposed authentication headers and the potential reach of the redirect target.
CVE-2026-40895 was published on 2026-04-21. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. It is not currently listed on KEV or EPSS, indicating a low probability of exploitation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
The primary mitigation for CVE-2026-40895 is to upgrade the follow-redirects module to version 1.16.0 or later. This version includes the necessary fix to properly strip all custom authentication headers during cross-domain redirects. If upgrading is not immediately feasible, consider implementing a reverse proxy or WAF rule to filter out potentially sensitive headers before they are sent to the redirect target. Specifically, block the forwarding of custom headers like X-API-Key, X-Auth-Token, and Api-Key. After upgrading, verify the fix by sending a request with a custom authentication header through a cross-domain redirect and confirming that the header is not present in the redirected request.
Actualice el paquete `follow-redirects` a la versión 1.16.0 o superior para evitar la fuga de encabezados de autenticación personalizados a los objetivos de redirección de dominio cruzado. Esto se puede hacer utilizando npm o yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40895 is a header leak vulnerability in the follow-redirects Node.js module, allowing custom authentication headers to be exposed during cross-domain redirects.
You are affected if you are using follow-redirects version 0.0.0 through 1.15.9. Check your project dependencies to determine if you are vulnerable.
Upgrade to version 1.16.0 or later of the follow-redirects module. If immediate upgrade is not possible, implement WAF rules to block sensitive headers.
As of the publication date, there are no known public exploits or active campaigns targeting this vulnerability.
Refer to the follow-redirects GitHub repository for updates and advisories: https://github.com/substack/node-follow-redirects
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.