CVE-2026-40895 Overview
CVE-2026-40895 is an information disclosure vulnerability in the follow-redirects Node.js package, a popular drop-in replacement for Node's native http and https modules that automatically handles HTTP redirects. The vulnerability exists in versions prior to 1.16.0 and allows custom authentication headers to be leaked to unauthorized third-party domains during cross-domain redirect scenarios.
When an HTTP request follows a cross-domain redirect (301/302/307/308 status codes), follow-redirects only strips the standard authorization-related headers (Authorization, Proxy-Authorization, and Cookie) using regex matching in index.js. However, any custom authentication headers commonly used in modern APIs—such as X-API-Key, X-Auth-Token, Api-Key, or Token—are forwarded verbatim to the redirect target, potentially exposing sensitive credentials to malicious or unintended recipients.
Critical Impact
Custom API keys and authentication tokens can be leaked to arbitrary third-party domains when applications using follow-redirects follow cross-domain redirects, potentially allowing unauthorized access to protected resources.
Affected Products
- follow-redirects versions prior to 1.16.0 for Node.js
- Applications and packages that depend on follow-redirects for HTTP redirect handling
- Popular packages like axios that use follow-redirects as a dependency
Discovery Timeline
- April 21, 2026 - CVE-2026-40895 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40895
Vulnerability Analysis
The vulnerability stems from an incomplete header sanitization implementation in the follow-redirects package. When the library processes HTTP redirect responses across domain boundaries, it implements security measures to prevent credential leakage by stripping certain sensitive headers before forwarding the request to the new location. However, the implementation only accounts for standard authentication headers defined in RFC specifications.
Modern web applications and APIs frequently utilize custom headers for authentication purposes. These custom headers—commonly prefixed with X- or using application-specific naming conventions—are not recognized by the existing sanitization logic. As a result, when a request containing such headers encounters a cross-domain redirect, the sensitive authentication data is transmitted to the redirect target without any filtering.
This creates a significant security risk in scenarios where an attacker can control or influence redirect destinations. By setting up a malicious endpoint that issues redirects to attacker-controlled servers, threat actors can harvest API keys and tokens from vulnerable applications.
Root Cause
The root cause is an incomplete allowlist/blocklist approach to header sanitization in the redirect handling logic. The code in index.js uses regex pattern matching to identify and remove sensitive headers, but the patterns only cover the three standard authorization headers (Authorization, Proxy-Authorization, and Cookie). The design fails to account for the widespread use of custom authentication headers in contemporary API implementations, leaving a significant gap in credential protection during redirect scenarios.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Setting up a malicious server that responds with redirect status codes (301, 302, 307, or 308)
- Pointing the redirect Location header to an attacker-controlled endpoint
- Waiting for victim applications to make requests to the initial malicious server with custom authentication headers
- Collecting the leaked credentials from incoming requests to the redirect target
The vulnerability can be exploited through supply chain attacks, DNS hijacking, or compromised third-party services that applications integrate with. Since the redirect is followed automatically by the library, no user intervention is required for the credential leak to occur.
The vulnerability manifests in the header sanitization logic within index.js where cross-domain redirect handling is implemented. The existing regex patterns fail to match custom authentication header formats. For detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2026-40895
Indicators of Compromise
- Unexpected outbound connections from applications to unknown or suspicious domains following API calls
- Authentication tokens or API keys appearing in logs of third-party services
- Unusual activity on API accounts suggesting credential compromise
- Network traffic showing HTTP requests with sensitive custom headers being sent to unexpected destinations
Detection Strategies
- Monitor outbound HTTP traffic for cross-domain redirects that carry custom authentication headers
- Implement network-level inspection to detect authentication headers being transmitted to untrusted domains
- Review application dependencies using npm audit or similar tools to identify vulnerable follow-redirects versions
- Deploy runtime application security monitoring to detect credential leakage patterns
Monitoring Recommendations
- Enable verbose logging for HTTP client libraries to track redirect chains and header transmission
- Implement alerting for unusual API key usage patterns that may indicate credential theft
- Monitor for dependency updates and security advisories related to follow-redirects
- Establish baseline network behavior to identify anomalous redirect patterns
How to Mitigate CVE-2026-40895
Immediate Actions Required
- Update follow-redirects to version 1.16.0 or later immediately
- Audit applications for custom authentication header usage with HTTP client libraries
- Rotate any API keys or tokens that may have been exposed through this vulnerability
- Review application logs for evidence of cross-domain redirects that may have leaked credentials
Patch Information
The vulnerability has been fixed in follow-redirects version 1.16.0. The patch extends the header sanitization logic to properly handle custom authentication headers during cross-domain redirects. Update using your package manager:
For npm: npm update follow-redirects
For yarn: yarn upgrade follow-redirects
If follow-redirects is a transitive dependency (common with axios), ensure your top-level dependencies are updated to versions that include the patched follow-redirects. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Configure HTTP clients to disable automatic redirect following and handle redirects manually with proper header sanitization
- Implement application-level middleware to strip custom authentication headers before requests that may result in cross-domain redirects
- Use network-level controls to restrict outbound redirects to trusted domains only
- Consider implementing request interceptors that validate redirect destinations before following them
# Check your current follow-redirects version
npm list follow-redirects
# Update to the patched version
npm install follow-redirects@1.16.0
# Verify the update
npm list follow-redirects
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
