CVE-2026-40255: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in adonisjs http-server
A vulnerability in AdonisJS HTTP Server prior to versions 7. 8. 1 and 8. 2. 0 allows an attacker to exploit the response. redirect(). back() method. This method improperly trusts the Referer header from incoming requests and redirects users to that URL without validating the host. An attacker who can control the Referer header can redirect users to malicious external sites. This open redirect issue affects all AdonisJS applications using this method in the specified vulnerable versions.
AI Analysis
Technical Summary
CVE-2026-40255 is an open redirect vulnerability (CWE-601) in the AdonisJS HTTP Server package. The vulnerability exists in versions prior to 7.8.1 and between 8.0.0-next.0 and 8.1.3, as well as in @adonisjs/core versions prior to 7.4.0. The response.redirect().back() method reads the Referer header from the HTTP request and redirects the user to that URL without validating whether the host is trusted. This allows an attacker who can influence the Referer header to redirect users to malicious external sites. The vulnerability has been addressed in versions 7.8.1 and 8.2.0 of the http-server package and 7.4.0 of @adonisjs/core.
Potential Impact
The vulnerability allows attackers to perform open redirect attacks by manipulating the Referer header, potentially redirecting users to malicious websites. This can be used in phishing attacks or to bypass security controls that rely on trusted redirects. The CVSS score of 6.1 indicates a medium severity impact with low confidentiality and integrity impact but no availability impact.
Mitigation Recommendations
A fix is available in AdonisJS HTTP Server versions 7.8.1 and 8.2.0, and in @adonisjs/core version 7.4.0. Users should upgrade to these or later versions to remediate the vulnerability. No other mitigation is specified or required once patched.
CVE-2026-40255: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in adonisjs http-server
Description
A vulnerability in AdonisJS HTTP Server prior to versions 7. 8. 1 and 8. 2. 0 allows an attacker to exploit the response. redirect(). back() method. This method improperly trusts the Referer header from incoming requests and redirects users to that URL without validating the host. An attacker who can control the Referer header can redirect users to malicious external sites. This open redirect issue affects all AdonisJS applications using this method in the specified vulnerable versions.
CVSS v3.1
Score 6.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40255 is an open redirect vulnerability (CWE-601) in the AdonisJS HTTP Server package. The vulnerability exists in versions prior to 7.8.1 and between 8.0.0-next.0 and 8.1.3, as well as in @adonisjs/core versions prior to 7.4.0. The response.redirect().back() method reads the Referer header from the HTTP request and redirects the user to that URL without validating whether the host is trusted. This allows an attacker who can influence the Referer header to redirect users to malicious external sites. The vulnerability has been addressed in versions 7.8.1 and 8.2.0 of the http-server package and 7.4.0 of @adonisjs/core.
Potential Impact
The vulnerability allows attackers to perform open redirect attacks by manipulating the Referer header, potentially redirecting users to malicious websites. This can be used in phishing attacks or to bypass security controls that rely on trusted redirects. The CVSS score of 6.1 indicates a medium severity impact with low confidentiality and integrity impact but no availability impact.
Mitigation Recommendations
A fix is available in AdonisJS HTTP Server versions 7.8.1 and 8.2.0, and in @adonisjs/core version 7.4.0. Users should upgrade to these or later versions to remediate the vulnerability. No other mitigation is specified or required once patched.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T17:31:45.787Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e166dc82d89c981fd8594f
Added to database: 4/16/2026, 10:46:52 PM
Last enriched: 4/24/2026, 4:15:21 PM
Last updated: 6/1/2026, 7:50:42 PM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.