CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-9m9w-gxf7-rh8m: Tesla: Authorization header leaks on cross-origin redirect via case-sensitive filtering

highCVE-2026-48595
Summary Tesla.Middleware.FollowRedirects is meant to strip the Authorization header when following a cross-origin redirect, but performs the check with a case-sensitive comparison against the lowercase string "authorization". Because Tesla preserves header keys exactly as supplied by the caller, any application that sets the header with its RFC 7235 canonical casing ("Authorization") bypasses the filter entirely, leaking bearer tokens or other credentials to whatever origin the redirect points at. Details The filter list in lib/tesla/middleware/follow_redirects.ex is defined as @filter_headers ["authorization", "host"] and the membership check k not in @filter_headers compares the raw key string without case normalization. HTTP header names are case-insensitive per RFC 7230, but Tesla stores them verbatim. A header tuple {"Authorization", "Bearer …"} does not match "authorization", so it passes through the filter and is forwarded to the redirect destination unchecked. The same defect applies to the "Host" entry. An attacker who can control a Location: response seen by the victim client (their own endpoint, a redirect-open service, or a compromised upstream) receives the credential on the cross-origin follow. No special configuration is required beyond the victim using the standard header casing. PoC 1. Configure a Tesla client with Tesla.Middleware.FollowRedirects and set the Authorization header using canonical casing ({"Authorization", "Bearer <token>"}). 2. Make a request to an endpoint that returns a 302 redirect to a different origin. 3. Observe that the Authorization header with its value is present in the request delivered to the redirect destination. Impact High severity (CVSS v4.0: 8.2). Any application using tesla 1.4.0 through 1.18.2 with Tesla.Middleware.FollowRedirects and a non-lowercase Authorization header is affected. The workaround is to use all-lowercase "authorization" as the header key until upgrading to 1.18.3. Workarounds Normalize a

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-9m9w-gxf7-rh8m

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-48595coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories