Skip to content

[GHSA-48rx-c7pg-q66r] Excon does not redact additional sensitive/risky headers when following redirects#8726

Open
Amayyas wants to merge 1 commit into
Amayyas/advisory-improvement-8726from
Amayyas-GHSA-48rx-c7pg-q66r
Open

[GHSA-48rx-c7pg-q66r] Excon does not redact additional sensitive/risky headers when following redirects#8726
Amayyas wants to merge 1 commit into
Amayyas/advisory-improvement-8726from
Amayyas-GHSA-48rx-c7pg-q66r

Conversation

@Amayyas

@Amayyas Amayyas commented Jul 17, 2026

Copy link
Copy Markdown

Updates

  • CWEs

Comments
This advisory currently has no CWE assigned. The vulnerability class here —
sensitive HTTP headers being forwarded across an origin boundary when
following a redirect — is consistently classified as CWE-200: Exposure of
Sensitive Information to an Unauthorized Actor across other GitHub advisories
for the exact same pattern:

This advisory describes the same underlying weakness for excon's
RedirectFollower middleware, which previously failed to strip additional
sensitive headers before following a redirect to a new target. Adding CWE-200
aligns this entry with how GitHub already classifies this well-established
vulnerability pattern.

References:

@github

github commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Hi there @geemus! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions
github-actions Bot changed the base branch from main to Amayyas/advisory-improvement-8726 July 17, 2026 19:32
@geemus

geemus commented Jul 18, 2026

Copy link
Copy Markdown

Sounds reasonable, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants