Information disclosure in Follow-redirects

CVE-2026-40895

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects o…

Vulnerability class: Information Disclosure

EPSS: 0.001 (18.2th percentile) — read the EPSS interpretation.

Affected products

Follow-redirects — versions < 1.16.0

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653 (x_refsource_CONFIRM)