VYPR

Wreck

by hapijs

Source repositories

CVEs (2)

  • CVE-2026-48022Jun 11, 2026
    risk 0.00cvss epss 0.00

    ### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes…

  • CVE-2026-44979May 27, 2026
    risk 0.00cvss epss 0.00

    ### Impact When `@hapi/wreck` follows a 3xx redirect to a different hostname, only the `Authorization` and `Cookie` headers are stripped. The standard credential header `Proxy-Authorization` is forwarded intact to the redirect target, potentially exposing forward-proxy…