CVE-2026-40255
@adonisjs/http-server has an Open Redirect vulnerability
Description
### Impact The `response.redirect().back()` method in `@adonisjs/http-server` is vulnerable to open redirects. The method reads the `Referer` header from the incoming HTTP request and redirects to that URL without validating the host. An attacker who can influence the `Referer` header (for example, by linking a user through an attacker-controlled page before a form submission) can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use `response.redirect().back()` or `response.redirect('back')`. The vulnerability is classified as CWE-601: URL Redirection to Untrusted Site ('Open Redirect'). ### Patches This has been fixed in `@adonisjs/http-server` version **8.2.0**. The `back()` method now validates the `Referer` header's host against the request's own `Host` header. Referrers from unrecognized hosts are rejected and the redirect falls back to `/` (or a developer-provided fallback URL). Applications that operate across multiple domains can configure additional trusted hosts via the `redirect.allowedHosts` option in `config/app.ts`. Users should upgrade to `@adonisjs/http-server@^8.2.0` (or `@adonisjs/core@^7.4.0` if using the core meta-package). ### Workarounds If upgrading is not immediately possible, avoid using `response.redirect().back()` in routes that are reachable by unauthenticated users or from pages that accept external traffic. Instead, redirect to a known safe path explicitly using `response.redirect().toPath('/dashboard')`. ### References - [CWE-601: URL Redirection to Untrusted Site](https://cwe.mitre.org/data/definitions/601.html) - [OWASP: Unvalidated Redirects and Forwards](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
How to fix CVE-2026-40255
To remediate CVE-2026-40255, upgrade the affected package to a fixed version below.
- —upgrade to 7.3.1 or later
- —upgrade to 8.2.0 or later
Is CVE-2026-40255 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.