6 matches found
ROOT-APP-NPM-CVE-2026-44979 CVE-2026-44979 in @rootio/hapi__wreck - Patched by Root
Root has patched CVE-2026-44979 in the @rootio/hapiwreck package for Root:npm. Multiple fixed versions available...
GHSA-X426-X7CC-3FPC @hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
Impact Wreck strips credential headers Authorization, Cookie, Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP...
GHSA-VHJM-W67Q-G75C @hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects
Impact When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the...
20yearrewards (>=1.0.7 <=1.0.8), 3id-test-helper (>=1.0.0 <=1.0.4) +1062 more potentially affected by CVE-2026-44979 via @hapi/wreck (>=15.1.0 <=18.0.1)
@hapi/wreck NPM version =15.1.0, =1.0.7, =1.0.0, =0.24.0, =2.0.2, =6.8.2, =1.4.0, =1.0.0, =0.0.2, =1.0.0, =1.6.0, =1.7.10 and more Source cves: CVE-2026-44979 Source advisory: OSV:GHSA-VHJM-W67Q-G75C...
@userfront/bell (>=5.2.3-0 <=6.0.0), ffc-auth (>=0.1.0 <=0.13.0-alpha.2) +1 more potentially affected by CVE-2026-44979 via @hapi/wreck (>=18.0.0 <=18.0.1)
@hapi/wreck NPM version =18.0.0, =5.2.3-0, =0.1.0, =1.0.2, =1.0.4 Source cves: CVE-2026-44979 Source advisory: SNYK:JS-HAPIWRECK-16881586...
PT-2026-43631
Impact When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the...