Your Origin Server Might Be Your Most Expensive Decision

...

GHSA-P92Q-9VQR-4J8V Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Summary Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected UR...

Astra Linux - уязвимость в apache2

The Apache HTTP Server versions 2.4.6 to 2.4.46, with the modproxywstunnel module configured, were used to handle a URL. The origin server did not necessarily upgrade this connection. This setup allowed subsequent requests on the same connection to be processed without any HTTP validation,...

Astra Linux - уязвимость в apache2

A properly crafted request URI-path can cause modproxy to forward the request to an origin server chosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier...

Astra Linux - уязвимость в apache2

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded- headers to the origin server based on the client-side Connection header hop-by-hop mechanism. This could be used to bypass IP-based authentication on the origin server/application...

CVE-2026-26365

Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing pat...

Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers

Cloudflare has addressed a security vulnerability impacting its Automatic Certificate Management Environment ACME validation logic that made it possible to bypass security controls and access origin servers. "The vulnerability was rooted in how our edge network processed requests destined for the...

curl: Proxy-Authorization header is leaked to origin server after redirect from proxied to direct connection

Summary curl leaks the Proxy-Authorization header to the origin server after following an HTTP redirect that transitions from a proxied connection to a direct connection e.g. when using --noproxy or when proxy is bypassed after redirect. This causes proxy credentials which are hop-by-hop to be se...

PT-2025-51973

Name of the Vulnerable Software and Affected Versions Open OnDemand versions prior to 4.1 Description Open OnDemand provides remote web access to supercomputers. The Apache proxy in versions 4.0.8 and earlier allows sensitive headers to be passed to origin servers. This could allow malicious user...

CVE-2025-66373

Akamai Ghost on Akamai CDN edge servers before 2025-11-17 has a chunked request body processing error that can result in HTTP request smuggling. When Akamai Ghost receives an invalid chunked body that includes a chunk size different from the actual size of the following chunk data, under certain...

CVE-2025-66373

Akamai Ghost on Akamai CDN edge servers before 2025-11-17 has a chunked request body processing error that can result in HTTP request smuggling. When Akamai Ghost receives an invalid chunked body that includes a chunk size different from the actual size of the following chunk data, under certain...

CVE-2025-66373

Akamai Ghost on Akamai CDN edge servers prior to 2025-11-17 is affected by a chunked request body processing error that can cause HTTP request smuggling when an invalid chunked body includes a chunk size that differs from the following data. The issue can forward the invalid request and superfluo...

CVE-2025-66373

Akamai Ghost on Akamai CDN edge servers before 2025-11-17 has a chunked request body processing error that can result in HTTP request smuggling. When Akamai Ghost receives an invalid chunked body that includes a chunk size different from the actual size of the following chunk data, under certain...

PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client

...

CVE-2025-54142

CVE-2025-54142 affects Akamai Ghost (versions prior to 2025-07-21). The issue is HTTP Request Smuggling via an OPTIONS request that carries an entity body, enabling a following request on the same persistent connection between an Akamai proxy and an origin server when the origin server violates c...

CVE-2025-54142

Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an Akamai proxy server and an origin server, if the origin server violates certain Internet standards...

CVE-2025-54142

Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an Akamai proxy server and an origin server, if the origin server violates certain Internet standards...

CVE-2025-8714 PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client

Untrusted data inclusion in pgdump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pgdumpall is also affected. pgrestore is affected...

CVE-2025-8714

CVE-2025-8714 affects PostgreSQL (and variants in related advisories) via Untrusted data inclusion in pg_dump, pg_dumpall, and pg_restore, allowing a malicious superuser to inject code during restore as the client OS account running psql. The issue arises from processing psql meta-commands in dum...

CVE-2024-9681 HSTS subdomain overwrites parent cache entry

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with host...