CVE-2026-44979: @hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects

May 27, 2026

When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the original trust boundary.

Redirect following is opt-in. The redirects option defaults to false (no redirections followed), so applications are only affected if they have explicitly set redirects to a positive integer on the request or via Wreck.defaults({ redirects: ... }).

References

github.com/advisories/GHSA-vhjm-w67q-g75c
github.com/hapijs/wreck/commit/a5b6fac9c684621c1d5733d10a0257697cfea373
github.com/hapijs/wreck/security/advisories/GHSA-vhjm-w67q-g75c
github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
nvd.nist.gov/vuln/detail/CVE-2026-44979

Code Behaviors & Features

Detect and mitigate CVE-2026-44979 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →