{"id":"CVE-2026-54171","aliases":["GHSA-48rx-c7pg-q66r"],"title":"Excon does not redact additional sensitive/risky headers when following redirects","summary":"Excon does not redact additional sensitive/risky headers when following redirects","severity":"medium","cvss":6.5,"vendor":"excon","product":"excon","ecosystem":"rubygems","affected":["excon < 1.5.0"],"patched":["excon 1.5.0"],"published":"2026-07-10","updated":"2026-07-10","source":"GHSA","sourceUrl":"https://github.com/advisories/GHSA-48rx-c7pg-q66r","references":[{"url":"https://github.com/excon/excon/security/advisories/GHSA-48rx-c7pg-q66r"},{"url":"https://github.com/excon/excon/commit/ea89a35308a12f4b791b6c50f2cbd33f94889fa3"},{"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/excon/CVE-2026-54171.yml"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-54171"},{"url":"https://github.com/advisories/GHSA-48rx-c7pg-q66r"}],"tags":["ghsa","rubygems"],"ingestedAt":"2026-07-10T21:06:31.243Z","slug":"CVE-2026-54171","body":"## Overview\n\n### Impact\nThe redirect follower middleware previously failed to strip a number of headers that are known to be sensitive and did not provide a way to provide a custom list of headers to strip. \n\n_What kind of vulnerability is it? Who is impacted?_\nThis could cause inadvertent leakage of sensitive data for users of the RedirectFollower middleware in cases where the initial request includes header information that is not intended for the new target.\n\n### Patches\nPatch exists and is released in v1.5.0\n\n### Workarounds\nUsers can backport the [fix](https://github.com/excon/excon/commit/ea89a35308a12f4b791b6c50f2cbd33f94889fa3) to a custom redirect follower middleware.\n\n## Affected packages\n\n- `excon < 1.5.0`\n\n## Remediation\n\nUpgrade to a patched release:\n\n- `excon 1.5.0`","depth":"sunlit","depthScore":36,"depthScoreParts":{"impact":35.8,"likelihood":0,"exploitation":0,"ransomware":0},"changes":[]}