Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.1

AdonisJS Redirects to Untrusted Sites with Malicious Links

GHSA-6qvv-pj99-48qm CVE-2026-40255
Summary

AdonisJS applications using an outdated version of the HTTP server are vulnerable to redirects to malicious sites. An attacker can trick users into visiting a fake site by manipulating the URL link. To fix, update to AdonisJS version 8.2.0 or later, or configure the allowed hosts in your configuration file.

What to do
  • Update adonisjs http-server to version 8.2.0.
  • Update adonisjs http-server to version 7.8.1.
Affected software
Ecosystem VendorProductAffected versions
npm adonisjs http-server >= 8.0.0-next.0, < 8.2.0
< 7.8.1
Fix: upgrade to 8.2.0
npm adonisjs core <= 7.3.1
Original title
AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions ...
Original description
AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.
ghsa CVSS3.1 6.1
Vulnerability type
CWE-601 Open Redirect
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 14 Apr 2026