CVE-2026-40255: @adonisjs/http-server has an Open Redirect vulnerability
(updated )
The response.redirect().back() method in @adonisjs/http-server is vulnerable to open redirects. The method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host. An attacker who can influence the Referer header (for example, by linking a user through an attacker-controlled page before a form submission) can cause the application to redirect users to a malicious external site.
This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back').
The vulnerability is classified as CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’).
References
- github.com/adonisjs/http-server
- github.com/adonisjs/http-server/commit/2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08
- github.com/adonisjs/http-server/releases/tag/v7.8.1
- github.com/adonisjs/http-server/releases/tag/v8.2.0
- github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm
- github.com/advisories/GHSA-6qvv-pj99-48qm
- nvd.nist.gov/vuln/detail/CVE-2026-40255
Code Behaviors & Features
Detect and mitigate CVE-2026-40255 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →