{"id":"CVE-2026-40255","summary":"@adonisjs/http-server has an Open Redirect vulnerability","details":"AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.","aliases":["GHSA-6qvv-pj99-48qm"],"modified":"2026-07-08T08:13:47.532761929Z","published":"2026-04-16T22:25:38.155Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40255.json","cwe_ids":["CWE-601"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/adonisjs/http-server/releases/tag/v7.8.1"},{"type":"WEB","url":"https://github.com/adonisjs/http-server/releases/tag/v8.2.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40255.json"},{"type":"ADVISORY","url":"https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40255"},{"type":"FIX","url":"https://github.com/adonisjs/http-server/commit/2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/adonisjs/core","events":[{"introduced":"0"},{"last_affected":"1920429948a290027df1c41cb2d607618a399d15"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"last_affected":"7.3.0"}],"cpe":"cpe:2.3:a:adonisjs:core:*:*:*:*:*:node.js:*:*"}},{"type":"GIT","repo":"https://github.com/adonisjs/http-server","events":[{"introduced":"0"},{"fixed":"f4e4c6c7b89af5d2c348cdb32895040cd77dbf08"},{"fixed":"2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08"},{"fixed":"384a5dff44c44ace6b53fe418560d0a83f4892b6"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"7.8.1"},{"last_affected":"8.1.3"},{"last_affected":"7.3.0"}],"source":["CPE_RANGE","REFERENCES"],"cpe":["cpe:2.3:a:adonisjs:http-server:*:*:*:*:*:node.js:*:*","cpe:2.3:a:adonisjs:core:*:*:*:*:*:node.js:*:*"]}}],"versions":["v7.3.0","v7.2.0","v7.1.1","v7.1.0","v7.0.1","v7.0.0","v7.0.0-next.29","v7.0.0-next.28","v7.0.0-next.27","v7.0.0-next.26","v7.0.0-next.25","v7.0.0-next.24","v7.0.0-next.23","v7.0.0-next.22","v7.0.0-next.21","v7.0.0-next.20","v7.0.0-next.19","v7.0.0-next.18","v7.0.0-next.17","v7.0.0-next.16","v7.0.0-next.15","v7.0.0-next.14","v7.0.0-next.13","v7.0.0-next.12","v7.0.0-next.11","v7.0.0-next.10","v7.0.0-next.9","v7.0.0-next.8","v7.0.0-next.7","v7.0.0-next.6","v7.0.0-next.5","v7.0.0-next.4","v7.0.0-next.3","v7.0.0-next.2","v7.0.0-next.1","v7.0.0-next.0","v6.19.0","v6.18.0","v6.17.2","v6.17.1","v6.17.0","v6.16.0","v6.15.2","v6.15.1","v6.15.0","v6.14.1","v6.14.0","v6.13.1","v6.13.0","v6.12.1","v6.12.0","v6.11.0","v6.10.1","v6.10.0","v6.9.1","v6.9.0","v6.8.0","v6.7.1","v6.7.0","v6.6.0","v6.5.0","v6.4.0","v6.3.1","v6.3.0","v6.2.3","v6.2.2","v6.2.1","v6.2.0","v5.9.0","v5.8.9","v5.8.8","v5.8.7","v5.8.6","v5.8.5","v5.8.4","v5.8.3","v5.8.2","v5.8.1","v5.8.0","v5.7.6","v5.7.5","v5.7.4","v5.7.3","v5.7.2","v5.7.1","v5.7.0","v5.6.2","v5.6.1","v5.6.0","v5.5.3","v5.5.2","v5.5.1","v5.5.0","v5.4.2","v5.4.1","v5.4.0","v5.3.4","v5.3.3","v5.3.2","v5.3.1","v5.3.0","v5.1.11","v5.1.10","v5.1.9","v5.1.8","v5.1.7","v5.1.6","v5.1.5","v5.1.4","v5.1.3","v5.1.2","v5.1.1","v5.1.0","v5.0.5-canary-rc-2","v5.0.5-canary-rc-1","v5.0.4-preview-rc-2.1","v5.0.4-preview-rc-2","v5.0.3-beta-rc-10","v5.0.2-beta-rc-9","v5.0.2-beta-rc-8","v5.0.2-beta-rc-7","v5.0.2-beta-rc-6","v5.0.2-beta-rc-5","v5.0.2-beta-rc-4","v5.0.1","v5.0.1-beta-rc-3","v5.0.1-beta-rc-2","v5.0.0-preview-rc-1.11","v5.0.0-preview-rc-1.10","v5.0.0-preview-rc-1.9","v5.0.0-preview-rc-1.8","v5.0.0-preview-rc-1.7","v5.0.0-preview-rc-1.6","v5.0.0-preview-rc-1.5","v5.0.0-preview-rc-1.4","vv5.0.0-preview-rc-1.4","v5.0.0-preview-rc-1.3","vv5.0.0-preview-rc-1.3","v5.0.0-preview-rc-1.2","vv5.0.0-preview-rc-1.2","v5.0.0-preview-rc-1.1","v5.0.0-preview-rc-1","v5.0.0-preview.5","v5.0.0-preview.4","v5.0.0-preview.3","v5.0.0-preview.2","v5.0.0-preview.1","v2.10.4","v2.10.3","v2.10.2","v2.10.1","v2.10.0","v2.9.0","v2.8.1","v2.8.0","v2.7.5","v2.7.4","v2.7.3","v2.7.2","v2.7.1","v2.7.0","v2.6.2","v2.6.1","v2.6.0","v2.5.1","v2.5.0","v2.4.0","v2.3.0","v2.2.1","v2.2.0","v2.1.4","v2.1.3","v2.1.2","v2.1.1","v2.1.0","v2.0.20","v2.0.19","v2.0.18","v2.0.17","v2.0.16","v2.0.15","v2.0.14","v2.0.13","v2.0.12","v2.0.11","v2.0.10","v2.0.9","v2.0.8","v2.0.7","v2.0.6","v2.0.5","v2.0.4","v2.0.3","v2.0.2","v2.0.1","v2.0.0","v1.10.0","@adonisjs/framework@v5.0.12","@adonisjs/framework@v5.0.11","@adonisjs/framework@v5.0.10","@adonisjs/framework@v5.0.9","@adonisjs/framework@v5.0.8","@adonisjs/framework@v5.0.7","@adonisjs/framework@v5.0.6","@adonisjs/framework@v5.0.4","@adonisjs/framework@v5.0.5","@adonisjs/framework@v5.0.3","@adonisjs/framework@v5.0.2","@adonisjs/framework@v5.0.1","@adonisjs/framework@v5.0.0","@adonisjs/framework@v4.0.31","@adonisjs/framework@v4.0.30","@adonisjs/framework@v4.0.27","@adonisjs/framework@v4.0.26","@adonisjs/framework@v4.0.25","@adonisjs/framework@v4.0.24","@adonisjs/framework@v4.0.23","@adonisjs/framework@v4.0.22","@adonisjs/framework@v4.0.21","@adonisjs/framework@v4.0.20","@adonisjs/framework@v4.0.19","@adonisjs/framework@v4.0.18","@adonisjs/framework@v4.0.17","@adonisjs/framework@v4.0.16","@adonisjs/framework@v4.0.15","@adonisjs/framework@v4.0.14","@adonisjs/framework@v4.0.13","@adonisjs/framework@v4.0.12","@adonisjs/framework@v4.0.11","@adonisjs/framework@v4.0.10","@adonisjs/framework@v4.0.9","@adonisjs/framework@v4.0.8","@adonisjs/framework@v4.0.7","@adonisjs/framework@v4.0.6","@adonisjs/framework@v4.0.5","@adonisjs/framework@v4.0.4","@adonisjs/framework@v4.0.3","@adonisjs/framework@v4.0.2","@adonisjs/framework@v4.0.1","@adonisjs/framework@v4.0.0","v7.8.0","v8.1.3","v8.1.2","v8.1.1","v8.1.0","v8.0.0","v8.0.0-next.19","v8.0.0-next.18","v7.7.0","v8.0.0-next.17","v8.0.0-next.16","v8.0.0-next.15","v8.0.0-next.14","v8.0.0-next.13","v8.0.0-next.12","v8.0.0-next.11","v8.0.0-next.10","v8.0.0-next.9","v8.0.0-next.8","v8.0.0-next.7","v8.0.0-next.6","v8.0.0-next.5","v8.0.0-next.4","v8.0.0-next.3","v8.0.0-next.2","v8.0.0-next.1","v8.0.0-next.0","v7.6.1","v7.6.0","v7.5.0","v7.4.0","v7.2.5","v7.2.4","v7.2.3","v7.2.2","v7.0.3","v7.0.2","v5.12.0","v5.11.0","v5.10.1","v5.10.0","v5.5.7","v5.5.6","v5.5.5","v5.5.4","v5.2.1","v5.2.0","v5.0.0","v4.0.9","v4.0.8","v4.0.7","v4.0.6","v4.0.5","v4.0.4","v4.0.3","v4.0.2","v4.0.1","v4.0.0","v3.0.3","v3.0.2","v3.0.1","v3.0.0","v1.8.2","v1.8.1","v1.8.0","v1.7.4","v1.7.3","v1.7.2","v1.7.1","v1.7.0","v1.6.6","v1.6.5","v1.6.4","v1.6.3","v1.6.2","v1.6.1","v1.6.0","v1.5.4","v1.5.3","v1.5.2","v1.5.1","v1.5.0","v1.4.0","v1.3.1","v1.3.0","v1.2.11","v1.2.10","v1.2.9","v1.2.8","v1.2.7","v1.2.6","v1.2.5","v1.2.4","v1.2.3","v1.2.2","v1.2.1","v1.2.0","v1.1.8","v1.1.7","v1.1.6","v1.1.5","v1.1.4","v1.1.3","v1.1.2","v1.1.1","v1.1.0","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40255.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}