CVE-2026-48022: CWE-319: Cleartext Transmission of Sensitive Information in hapijs wreck
@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port, so credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.
AI Analysis
Technical Summary
The hapijs wreck HTTP client utility versions before 18.1.2 improperly handle credential headers during cross-origin redirects. While Wreck strips Authorization, Cookie, and Proxy-Authorization headers before following redirects, the origin check only compares hostnames and ignores scheme and port. This flaw allows credentials to be forwarded intact when redirects occur between different ports on the same host or from HTTPS to HTTP. An attacker positioned on an adjacent port or able to forge redirects can capture sensitive credentials and impersonate the victim against upstream services. The vulnerability is addressed in version 18.1.2.
Potential Impact
Sensitive authentication credentials such as bearer tokens, session cookies, and proxy credentials can be exposed to attackers capable of forcing redirects across ports or downgrading HTTPS to HTTP. This exposure allows attackers to impersonate victims to upstream services, potentially compromising user sessions and access controls. The CVSS score of 6.5 reflects a medium severity impact with high confidentiality impact but no integrity or availability impact.
Mitigation Recommendations
Upgrade to hapijs wreck version 18.1.2 or later, where this issue is fixed. No other mitigation is indicated by the vendor advisory. Patch status is confirmed by the description stating the fix is in version 18.1.2.
CVE-2026-48022: CWE-319: Cleartext Transmission of Sensitive Information in hapijs wreck
Description
@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port, so credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.
CVSS v3.1
Score 6.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The hapijs wreck HTTP client utility versions before 18.1.2 improperly handle credential headers during cross-origin redirects. While Wreck strips Authorization, Cookie, and Proxy-Authorization headers before following redirects, the origin check only compares hostnames and ignores scheme and port. This flaw allows credentials to be forwarded intact when redirects occur between different ports on the same host or from HTTPS to HTTP. An attacker positioned on an adjacent port or able to forge redirects can capture sensitive credentials and impersonate the victim against upstream services. The vulnerability is addressed in version 18.1.2.
Potential Impact
Sensitive authentication credentials such as bearer tokens, session cookies, and proxy credentials can be exposed to attackers capable of forcing redirects across ports or downgrading HTTPS to HTTP. This exposure allows attackers to impersonate victims to upstream services, potentially compromising user sessions and access controls. The CVSS score of 6.5 reflects a medium severity impact with high confidentiality impact but no integrity or availability impact.
Mitigation Recommendations
Upgrade to hapijs wreck version 18.1.2 or later, where this issue is fixed. No other mitigation is indicated by the vendor advisory. Patch status is confirmed by the description stating the fix is in version 18.1.2.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-20T17:44:09.587Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a5b401a34329bf928c718c3
Added to database: 07/18/2026, 08:58:02 UTC
Last enriched: 07/18/2026, 09:00:02 UTC
Last updated: 07/18/2026, 11:08:19 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.