CVE-2026-40895
Published: 21 April 2026
Summary
CVE-2026-40895 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Follow-Redirects Project Follow-Redirects. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the flaw in follow-redirects through upgrades to version 1.16.0 or later.
Identifies vulnerable instances of the follow-redirects library in dependencies via scanning tools like npm audit before exploitation.
Ensures awareness and response to relevant security advisories such as GHSA-r4q5-vmmm-2653 for this follow-redirects vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables credential theft by leaking custom authentication headers (e.g., API keys, tokens) to an attacker-controlled server during cross-domain redirects, facilitating T1528 Steal Application Access Token.
NVD Description
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex…
more
at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
Deeper analysisAI
CVE-2026-40895 affects the follow-redirects open-source library, a drop-in replacement for Node.js's `http` and `https` modules that automatically handles redirects. In versions prior to 1.16.0, the library fails to strip custom authentication headers—such as X-API-Key, X-Auth-Token, Api-Key, or Token—when processing cross-domain redirects (HTTP status codes 301, 302, 307, or 308). It only removes standard headers like authorization, proxy-authorization, and cookies via a regex in index.js, allowing other custom headers to be forwarded verbatim to the redirect target. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
An attacker can exploit this by controlling a malicious server that issues a cross-domain redirect to another server they control. When a client application using vulnerable follow-redirects makes an HTTP request to the attacker's initial server—such as during a phishing lure or compromised link—the library will follow the redirect and forward any custom authentication headers present in the original request. This enables remote, unauthenticated attackers with no user interaction to steal sensitive credentials, achieving high confidentiality impact without affecting integrity or availability.
The GitHub security advisory (GHSA-r4q5-vmmm-2653) confirms the issue and states that it is fixed in follow-redirects version 1.16.0, recommending immediate upgrades for all prior versions. Practitioners should audit dependencies using tools like npm audit and verify that applications replace the library or pin to the patched version.
Details
- CWE(s)