CVE-2026-48022
Severity CVSS v4.0:
Pending analysis
Type:
CWE-319
Cleartext Transmission of Sensitive Information
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port, so credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM



