CVE-2026-40255
Last modified
CVE-2026-40255 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. EPSS estimates a 0.25% chance of exploitation in the next 30 days.
Description
AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Adonisjs | Http-Server | < 7.8.1 |
| Adonisjs | Http-Server | > 8.0.0, <= 8.1.3 |
| Adonisjs | Core | <= 7.3.0 |
References
- https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qmPatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-40255?
How severe is CVE-2026-40255?
How do I fix CVE-2026-40255?
Are you affected by CVE-2026-40255?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST