---
id: CVE-2026-54171
aliases:
  - GHSA-48rx-c7pg-q66r
title: >-
  Excon does not redact additional sensitive/risky headers when following
  redirects
summary: >-
  Excon does not redact additional sensitive/risky headers when following
  redirects
severity: medium
cvss: 6.5
vendor: excon
product: excon
ecosystem: rubygems
affected:
  - excon < 1.5.0
patched:
  - excon 1.5.0
published: '2026-07-10'
updated: '2026-07-10'
source: GHSA
sourceUrl: 'https://github.com/advisories/GHSA-48rx-c7pg-q66r'
references:
  - url: 'https://github.com/excon/excon/security/advisories/GHSA-48rx-c7pg-q66r'
  - url: >-
      https://github.com/excon/excon/commit/ea89a35308a12f4b791b6c50f2cbd33f94889fa3
  - url: >-
      https://github.com/rubysec/ruby-advisory-db/blob/master/gems/excon/CVE-2026-54171.yml
  - url: 'https://www.cve.org/CVERecord?id=CVE-2026-54171'
  - url: 'https://github.com/advisories/GHSA-48rx-c7pg-q66r'
tags:
  - ghsa
  - rubygems
ingestedAt: '2026-07-10T21:06:31.243Z'
---

## Overview

### Impact
The redirect follower middleware previously failed to strip a number of headers that are known to be sensitive and did not provide a way to provide a custom list of headers to strip. 

_What kind of vulnerability is it? Who is impacted?_
This could cause inadvertent leakage of sensitive data for users of the RedirectFollower middleware in cases where the initial request includes header information that is not intended for the new target.

### Patches
Patch exists and is released in v1.5.0

### Workarounds
Users can backport the [fix](https://github.com/excon/excon/commit/ea89a35308a12f4b791b6c50f2cbd33f94889fa3) to a custom redirect follower middleware.

## Affected packages

- `excon < 1.5.0`

## Remediation

Upgrade to a patched release:

- `excon 1.5.0`
