Lucene search
K

180 matches found

CVE
CVE
added 3 hours ago11 views

CVE-2026-15075

CVE-2026-15075 affects Eclipse Vert.x up to 4.5.29 (4.x) and 5.1.4 (5.x). The DefaultRedirectHandler in vertx-core forwards all request headers across cross-origin HTTP 30x redirects, stripping only Content-Length. No origin check is performed before copying headers to the redirect target. This a...

8.2CVSS6.2AI score
Exploits0References1
OSV
OSV
added 5 days ago2 views

GHSA-Q6GH-6V2R-HJV3 Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers

Impact DefaultHttpClient follows redirects and forwards Authorization, Cookie, and Proxy-Authorization headers to redirect targets across domain boundaries. The blocklist only filters Host/Connection/TE/CT/CL. Additionally, no maximum redirect count exists, enabling infinite loop DoS. Affected:...

6.8CVSS6AI score
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/11 3:39 p.m.10 views

CVE-2026-44486 Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axi...

7.5CVSS5.4AI score0.00532EPSS
Exploits1References1
CVE
CVE
added 2026/06/11 3:39 p.m.35 views

CVE-2026-44486

Axios (Node.js) prior to 0.32.0 and 1.16.0 is vulnerable to leaking Proxy-Authorization credentials to a redirect target when using an authenticated proxy and automatic redirects. If a request uses a proxy and follows a redirect that switches to a direct connection, a stale Proxy-Authorization he...

7.5CVSS5.5AI score0.00532EPSS
Exploits1References25Affected Software1
OSV
OSV
added 2026/06/11 3:39 p.m.1 views

CVE-2026-44486 Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axi...

7.5CVSS5.9AI score0.00532EPSS
Exploits1References27
OSV
OSV
added 2026/06/11 3:38 p.m.2 views

CVE-2026-44487 Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is...

8.2CVSS5.9AI score0.00664EPSS
Exploits1References31
Cvelist
Cvelist
added 2026/06/11 3:30 p.m.31 views

CVE-2026-44489 Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

3.7CVSS0.00228EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/06/11 3:30 p.m.8 views

CVE-2026-44489 Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

3.7CVSS5.5AI score0.00228EPSS
Exploits1References1
CVE
CVE
added 2026/06/11 3:30 p.m.98 views

CVE-2026-44489

Axios version range 1.15.2–1.15.x is vulnerable to a header injection via the Proxy-Authorization header. The root cause is that nested objects created by utils.merge() (e.g., config.proxy) retain plain {} with Object.prototype in their chain, and setProxy() in lib/adapters/http.js (lines ~209–22...

5.3CVSS5.5AI score0.00228EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/06/10 2:41 p.m.9 views

EEF-CVE-2026-48856 httpc leaks Authorization header to cross-origin redirect targets

Summary Sensitive Data Exposure vulnerability in Erlang OTP inets httpc\response module allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary...

7.1CVSS5.4AI score0.00335EPSS
Exploits0References4
FreeBSD
FreeBSD
added 2026/06/10 12:0 a.m.8 views

Erlang/OTP -- httpc leaks authentication headers on cross-host redirect

https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh reports: The HTTP client httpc in inets now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port, following the requirements of RFC 9110 section...

7.1CVSS5.5AI score0.00335EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.13 views

Erlang/OTP 输入验证错误漏洞

Erlang/OTP is an open-source JavaScript library for handling exceptions. This library can catch exceptions caused by Node.js’s built-in APIs. Versions of Erlang/OTP between 5.10 and 9.7.1, 9.6.2.2, and 9.3.2.6 have a vulnerability related to input validation errors. This vulnerability arises...

7.1CVSS5.3AI score0.00335EPSS
Exploits0References1
Veracode
Veracode
added 2026/06/09 9:21 a.m.10 views

Information Exposure

Axios is vulnerable to Information Exposure. The vulnerability is due to improper handling of the Proxy-Authorization header in the Node.js HTTP adapter, where proxy credentials can be retained across redirects and inadvertently sent to a redirected destination after the request is no longer rout...

7.5CVSS5.4AI score0.00532EPSS
Exploits1References28Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:11 p.m.9 views

CVE-2026-44503

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS5.4AI score0.00505EPSS
Exploits0References1
OSV
OSV
added 2026/05/29 3:51 p.m.26 views

GHSA-654M-C8P4-X5FP Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

3.7CVSS5.8AI score0.00228EPSS
Exploits1References4
Snyk
Snyk
added 2026/05/29 3:51 p.m.9 views

Prototype Pollution

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the setProxy function. An attacker can inject arbitrary credentials into the Proxy-Authorization header of proxied HTTP requests b...

9.1CVSS6.4AI score0.00715EPSS
Exploits2References3
Snyk
Snyk
added 2026/05/27 12:38 a.m.17 views

Insufficiently Protected Credentials

Overview @hapi/wreck is a HTTP Client Utilities library. Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to leaking the sensitive Proxy-Authorization header across cross-hostname redirects. An attacker can obtain sensitive proxy credentials by inducing...

6.3CVSS5.8AI score0.00054EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/27 12:38 a.m.16 views

@hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects

Impact When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the...

4.3CVSS6.8AI score0.00734EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/19 2:46 a.m.18 views

MGASA-2026-0150 Updated perl-libwww-perl & perl-HTTP-Message packages fix security vulnerabilities

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects...

6.5CVSS5.8AI score0.00266EPSS
Exploits0References3
Microsoft CVE
Microsoft CVE
added 2026/05/17 8:1 a.m.12 views

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects

...

6.5CVSS5.8AI score0.00266EPSS
Exploits0
Rows per page
Query Builder