CVE-2026-48022
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
描述
### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. The fix replaces the hostname comparison with a full-origin comparison (scheme, host, and port), aligning the behavior with the WHATWG Fetch same-origin definition used by browsers. ### Patches Upgrade to >= 18.1.2. ### Workarounds - Set `redirects: 0` (default) and handle redirects manually with a strict origin check. - Use the `beforeRedirect` hook to inspect the redirect target and abort or strip sensitive headers before the follow-on request.
如何修補 CVE-2026-48022
要修補 CVE-2026-48022,請將受影響套件升級到下列已修補版本。
- —升級至 18.1.2 或更新版本
CVE-2026-48022 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-48022 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 18.1.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |