@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. The fix replaces the hostname comparison with a full-origin comparison (scheme, host, and port), aligning the behavior with the WHATWG Fetch same-origin definition used by browsers. ### Patches Upgrade to >= 18.1.2. ### Workarounds - Set `redirects: 0` (default) and handle redirects manually with a strict origin check. - Use the `beforeRedirect` hook to inspect the redirect target and abort or strip sensitive headers before the follow-on request.
Involved actors & entities
People, organizations and places machine-extracted from the source reporting — they power search and the correlation graph. Extracted automatically, so they can include noise, especially on events still marked unverified.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-11 13:27 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.