GHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects
Impact
The redirect follower middleware previously failed to strip a number of headers that are known to be sensitive and did not provide a way to provide a custom list of headers to strip.
_What kind of vulnerability is it? Who is impacted?_
This could cause inadvertent leakage of sensitive data for users of the RedirectFollower middleware in cases where the initial request includes header information that is not intended for the new target.
Patches
Patch exists and is released in v1.5.0
Workarounds
Users can backport the fix to a custom redirect follower middleware.
Details
Original advisory: https://github.com/advisories/GHSA-48rx-c7pg-q66r
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-54171 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10
- criticalGHSA-56mp-4f3v-fgj2: SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content2026-07-10