CVE-2026-48022
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-319
Transmisión de información sensible en texto claro
Fecha de publicación:
17/07/2026
Última modificación:
17/07/2026
Descripción
*** Pendiente de traducción *** @hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port, so credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.
Impacto
Puntuación base 3.x
6.50
Gravedad 3.x
MEDIA



