snailsploit[$]
CVE Disclosure

CVE-2026-48022

@hapi/wreck · JavaScript

Credential headers leaked on redirect — hostname-only origin check ignores scheme and port

CVSS6.5
SeverityModerate
ClassCWE-200
Fixed in18.1.2

Summary

CVE-2026-48022 is a moderate-severity (CVSS 6.5) credential-exposure issue in @hapi/wreck, the HTTP client used across the hapi ecosystem. Wreck strips credential headers on cross-origin redirects, but its origin check compares only the hostname — it ignores scheme and port.

As a result, credentials survive redirects that change the security context on the same host: a same-host port change, or an HTTPS → HTTP downgrade. (CWE-200: Exposure of Sensitive Information; CWE-940: Improper Verification of Source of a Communication Channel.)

Impact

An attacker who can influence the redirect target can capture bearer tokens, session cookies, and proxy credentials forwarded to an unintended destination via port hopping or protocol downgrade — and then impersonate the victim. Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

Resolution

Upgrade to @hapi/wreck 18.1.2 or later, which validates the full origin (scheme + host + port) before forwarding credential headers across a redirect. Workarounds if you cannot upgrade immediately:

The reviewer's lesson: an "origin" is scheme + host + port, never host alone. Any credential-stripping logic that keys on hostname is one port or one downgrade away from leaking.

References

Vendor Advisory (GHSA)MITRENVD

Disclosure

Reported by Kai Aizen (SnailSploit). Status: Published. Coordinated with the hapi.js maintainers; resolved in 18.1.2.

disclosure contextall cves →
all disclosures
CVE Ledger →
Published CVEs
advisories
GHSA disclosures →
Coordinated advisories
engage
Pen Testing →
same methodology, your stack
Author
Kai Aizen
Independent Adversarial · Research group. Published CVEs, 5 Linux kernel mainline patches, creator of AATMF / P.R.O.M.P.T / SEF, author of Adversarial Minds.
aboutservicesresearchgate
Quick facts
ID
CVE-2026-48022
Product
@hapi/wreck (npm)
Severity
6.5 · Moderate
Class
CWE-200
Affected: @hapi/wreck < 18.1.2 · Fixed: 18.1.2
References: GHSA-x426-x7cc-3fpc · MITRE · NVD
Frequently asked

CVE-2026-48022 — questions & answers

What is CVE-2026-48022?

A moderate credential-exposure vulnerability (CWE-200/CWE-940) in @hapi/wreck. It strips credential headers on cross-origin redirects but compares only the hostname, ignoring scheme and port — so credentials leak across same-host port changes and HTTPS-to-HTTP downgrades.

Am I affected by CVE-2026-48022?

You are affected if you use @hapi/wreck below 18.1.2 to make authenticated requests that may follow redirects. An attacker who influences the redirect target can capture forwarded credentials.

How do I fix CVE-2026-48022?

Upgrade to @hapi/wreck 18.1.2 or later. As a workaround, disable redirects (redirects: 0) and handle them manually, or use the beforeRedirect hook to strip sensitive headers.

What is the impact of CVE-2026-48022?

Bearer tokens, session cookies, and proxy credentials can be forwarded to an unintended destination via port hopping or protocol downgrade, letting an attacker impersonate the victim. CVSS 6.5 Moderate.

Where can I find authoritative references?

The hapijs/wreck GitHub Security Advisory GHSA-x426-x7cc-3fpc, the MITRE CVE record for CVE-2026-48022, and the NVD detail page once published.