Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-48022: CWE-319: Cleartext Transmission of Sensitive Information in hapijs wreck

0
Medium
VulnerabilityCVE-2026-48022cvecve-2026-48022cwe-319cwe-346cwe-522
Published: 07/17/2026 (07/17/2026, 21:02:05 UTC)
Source: CVE Database V5
Vendor/Project: hapijs
Product: wreck

Description

@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port, so credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.

CVSS v3.1

Score 6.5medium

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected software

@hapi/wreck
pkg:npm/@hapi/wreck
Affected versions
<18.1.2

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/18/2026, 09:00:02 UTC

Technical Analysis

The hapijs wreck HTTP client utility versions before 18.1.2 improperly handle credential headers during cross-origin redirects. While Wreck strips Authorization, Cookie, and Proxy-Authorization headers before following redirects, the origin check only compares hostnames and ignores scheme and port. This flaw allows credentials to be forwarded intact when redirects occur between different ports on the same host or from HTTPS to HTTP. An attacker positioned on an adjacent port or able to forge redirects can capture sensitive credentials and impersonate the victim against upstream services. The vulnerability is addressed in version 18.1.2.

Potential Impact

Sensitive authentication credentials such as bearer tokens, session cookies, and proxy credentials can be exposed to attackers capable of forcing redirects across ports or downgrading HTTPS to HTTP. This exposure allows attackers to impersonate victims to upstream services, potentially compromising user sessions and access controls. The CVSS score of 6.5 reflects a medium severity impact with high confidentiality impact but no integrity or availability impact.

Mitigation Recommendations

Upgrade to hapijs wreck version 18.1.2 or later, where this issue is fixed. No other mitigation is indicated by the vendor advisory. Patch status is confirmed by the description stating the fix is in version 18.1.2.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-05-20T17:44:09.587Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a5b401a34329bf928c718c3

Added to database: 07/18/2026, 08:58:02 UTC

Last enriched: 07/18/2026, 09:00:02 UTC

Last updated: 07/18/2026, 11:08:19 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses