{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40255", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T17:31:45.787Z", "datePublished": "2026-04-16T22:25:38.155Z", "dateUpdated": "2026-04-17T18:43:10.697Z"}, "containers": {"cna": {"title": "@adonisjs/http-server has an Open Redirect vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm"}, {"name": "https://github.com/adonisjs/http-server/commit/2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08", "tags": ["x_refsource_MISC"], "url": "https://github.com/adonisjs/http-server/commit/2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08"}, {"name": "https://github.com/adonisjs/http-server/releases/tag/v7.8.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/adonisjs/http-server/releases/tag/v7.8.1"}, {"name": "https://github.com/adonisjs/http-server/releases/tag/v8.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/adonisjs/http-server/releases/tag/v8.2.0"}], "affected": [{"vendor": "adonisjs", "product": "http-server", "versions": [{"version": ">= 8.0.0-next.0, < 8.2.0", "status": "affected"}, {"version": "< 7.8.1", "status": "affected"}]}, {"vendor": "adonisjs", "product": "http-core", "versions": [{"version": "< 7.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T22:25:38.155Z"}, "descriptions": [{"lang": "en", "value": "AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core."}], "source": {"advisory": "GHSA-6qvv-pj99-48qm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T18:42:55.549238Z", "id": "CVE-2026-40255", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T18:43:10.697Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "@adonisjs/http-server has an Open Redirect vulnerability", "source": {"advisory": "GHSA-6qvv-pj99-48qm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "adonisjs", "product": "http-server", "versions": [{"status": "affected", "version": ">= 8.0.0-next.0, < 8.2.0"}, {"status": "affected", "version": "< 7.8.1"}]}, {"vendor": "adonisjs", "product": "http-core", "versions": [{"status": "affected", "version": "< 7.4.0"}]}], "references": [{"url": "https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm", "name": "https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/adonisjs/http-server/commit/2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08", "name": "https://github.com/adonisjs/http-server/commit/2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/adonisjs/http-server/releases/tag/v7.8.1", "name": "https://github.com/adonisjs/http-server/releases/tag/v7.8.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/adonisjs/http-server/releases/tag/v8.2.0", "name": "https://github.com/adonisjs/http-server/releases/tag/v8.2.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T22:25:38.155Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40255", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-17T18:42:55.549238Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-17T18:43:07.185Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40255", "state": "PUBLISHED", "dateUpdated": "2026-04-16T22:25:38.155Z", "dateReserved": "2026-04-10T17:31:45.787Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-16T22:25:38.155Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adonisjs:http-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "77440DDE-F846-4D3F-B8EE-6592F09C6B72", "versionEndExcluding": "7.8.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:http-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4C3C876D-A1A4-4E64-9DB4-FF855A0449D7", "versionEndIncluding": "8.1.3", "versionStartExcluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adonisjs:core:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "587A4DBA-0A27-42AA-9DAE-8FB311B65313", "versionEndIncluding": "7.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core."}], "id": "CVE-2026-40255", "lastModified": "2026-04-27T14:22:52.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T23:16:33.267", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/adonisjs/http-server/commit/2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/adonisjs/http-server/releases/tag/v7.8.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/adonisjs/http-server/releases/tag/v8.2.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "http-core", "source": "cna", "vendor": "adonisjs"}, "product": "http-core", "vendor": "adonisjs"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0-next.0,8.2.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.8.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "http-server", "source": "cna", "vendor": "adonisjs"}, "product": "http-server", "vendor": "adonisjs"}], "analysis": {"en": {"generated_at": "2026-04-17T02:51:35.181429+00:00", "value": {"mitigation_remediation": ["Upgrade @adonisjs/http-server to version 7.8.1 or later and @adonisjs/core to 7.4.0 or later. ", "If the update cannot be applied immediately, modify the application code to validate that any URL used in response.redirect().back() points to the same domain as the host, rejecting external hosts. ", "After applying the patch or validation change, perform regression tests to confirm that only internal URLs are used and no external redirects occur. ", "Optionally, remove the usage of response.redirect().back() entirely and replace it with a fixed user\u2011controlled URL to avoid reliance on the Referer header."], "summary": {"action": "Immediate Patch", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "Any project that uses @adonisjs/http-server through the response.redirect().back() or response.redirect('back') API and runs a vulnerable version is impacted. The vulnerability is present in @adonisjs/http-server prior to 7.8.1 and before 8.2.0, and in @adonisjs/core prior to 7.4.0.", "description_and_impact": "AdonisJS HTTP Server versions before 7.8.1 and 8.0.0\u2011next.0 through 8.1.3, as well as earlier @adonisjs/core releases, accept a Referer header from an incoming HTTP request and redirect the browser to that URL without verifying the target host. This flaw, identified as a CWE\u2011601 Open Redirect vulnerability, allows an attacker who can set or influence the Referer header to redirect honest users of the application to a malicious site, potentially facilitating phishing or other social\u2011engineering attacks.", "risk_and_exploitability": "The CVSS base score is 6.1, indicating a moderate severity. No EPSS value is available, and the issue is not listed in CISA's KEV catalog. The likely attack vector is a remote injection via crafted HTTP requests that supply a malicious Referer header. Attacker control of the Referer header allows malicious redirection of users without requiring authentication or exploit of additional services."}}}}, "created": "2026-04-17T03:00:08.439455+00:00", "updated": "2026-04-17T08:01:24.469528+00:00", "vendors": ["adonisjs", "adonisjs$PRODUCT$http-core", "adonisjs$PRODUCT$http-server"]}