CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects

mediumCVSS 6.5CVE-2026-54171
Impact The redirect follower middleware previously failed to strip a number of headers that are known to be sensitive and did not provide a way to provide a custom list of headers to strip. _What kind of vulnerability is it? Who is impacted?_ This could cause inadvertent leakage of sensitive data for users of the RedirectFollower middleware in cases where the initial request includes header information that is not intended for the new target. Patches Patch exists and is released in v1.5.0 Workarounds Users can backport the fix to a custom redirect follower middleware.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.5
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-48rx-c7pg-q66r

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-54171coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories