Fluid Attacks Database

Description

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-follow-redirects	=1.15.11+~1.14.4-1 \|\| =1.15.11+~1.14.4-2 \|\| =1.15.2+~1.14.1-1 \|\| =1.15.3+~1.14.2-1 \|\| =1.15.6+~1.14.4-1 \|\| =1.15.6+~1.14.4-2 \|\| =1.15.9+~1.14.4-1 \|\| =1.16.0+~1.14.4-1	-
debian 13	node-follow-redirects	=1.15.11+~1.14.4-1 \|\| =1.15.11+~1.14.4-2 \|\| =1.15.9+~1.14.4-1 \|\| =1.16.0+~1.14.4-1	-
debian 11	node-follow-redirects	=1.13.1-1 \|\| =1.13.1-1+deb11u1 \|\| =1.14.5-1 \|\| =1.14.7+~1.13.1-1 \|\| =1.14.8+~1.14.0-1 \|\| =1.14.9+~1.14.1-1 \|\| =1.14.9+~1.14.1-2 \|\| =1.14.9+~1.14.1-3 \|\| =1.15.1+~1.14.1-1 \|\| =1.15.1+~1.14.1-2 \|\| =1.15.1+~1.14.1-3 \|\| =1.15.11+~1.14.4-1 \|\| =1.15.11+~1.14.4-2 \|\| =1.15.2+~1.14.1-1 \|\| =1.15.3+~1.14.2-1 \|\| =1.15.6+~1.14.4-1 \|\| =1.15.6+~1.14.4-2 \|\| =1.15.9+~1.14.4-1 \|\| =1.16.0+~1.14.4-1	-
debian 14	node-follow-redirects	=1.15.11+~1.14.4-1 \|\| =1.15.11+~1.14.4-2 \|\| =1.15.9+~1.14.4-1 \|\| >=0 <1.16.0+~1.14.4-1	1.16.0+~1.14.4-1
rpm rhel8	grafana	-	-

Aliases

1. CVE-2026-408952. NVD-2026-408953. OSV-DEBIAN-2026-408954. OSV-2026-408955. SECURITY-TRACKER-CVE-2026-40895

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.