GHSA-9m9w-gxf7-rh8m: Tesla: Authorization header leaks on cross-origin redirect via case-sensitive filtering
Summary
Tesla.Middleware.FollowRedirects is meant to strip the Authorization header when following a cross-origin redirect, but performs the check with a case-sensitive comparison against the lowercase string "authorization". Because Tesla preserves header keys exactly as supplied by the caller, any application that sets the header with its RFC 7235 canonical casing ("Authorization") bypasses the filter entirely, leaking bearer tokens or other credentials to whatever origin the redirect points at.
Details
The filter list in lib/tesla/middleware/follow_redirects.ex is defined as @filter_headers ["authorization", "host"] and the membership check k not in @filter_headers compares the raw key string without case normalization. HTTP header names are case-insensitive per RFC 7230, but Tesla stores them verbatim. A header tuple {"Authorization", "Bearer …"} does not match "authorization", so it passes through the filter and is forwarded to the redirect destination unchecked. The same defect applies to the "Host" entry.
An attacker who can control a Location: response seen by the victim client (their own endpoint, a redirect-open service, or a compromised upstream) receives the credential on the cross-origin follow. No special configuration is required beyond the victim using the standard header casing.
PoC
1. Configure a Tesla client with Tesla.Middleware.FollowRedirects and set the Authorization header using canonical casing ({"Authorization", "Bearer <token>"}).
2. Make a request to an endpoint that returns a 302 redirect to a different origin.
3. Observe that the Authorization header with its value is present in the request delivered to the redirect destination.
Impact
High severity (CVSS v4.0: 8.2). Any application using tesla 1.4.0 through 1.18.2 with Tesla.Middleware.FollowRedirects and a non-lowercase Authorization header is affected. The workaround is to use all-lowercase "authorization" as the header key until upgrading to 1.18.3.
Workarounds
Normalize a
Details
Original advisory: https://github.com/advisories/GHSA-9m9w-gxf7-rh8m
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-485950.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 32% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-48595 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10