Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

EEF-CVE-2026-48595

High CVSS: 8.2
Permalink JSON

Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects

Affected Packages Affected Versions Fixed Versions
hex:tesla >= 1.4.0, < 1.18.3 1.18.3
574 Dependent packages
1,212 Dependent repositories
71,937,402 Downloads total

Affected Version Ranges

All affected versions

1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.17.0, 1.18.0, 1.18.1, 1.18.2

All unaffected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.1, 0.2.2, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.9.0, 0.10.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.18.3, 1.20.0

Potentially Affected Packages

These packages share the same source repository and may be affected by this vulnerability, but are not listed in the advisory.

Package Ecosystem Latest Version Classification
github.com/elixir-tesla/tesla go Repackage

Summary

Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.

Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.

This issue affects tesla: from 1.4.0 before 1.18.3.

Workaround

Normalize all header keys to lowercase before passing them to Tesla. Use "authorization" instead of "Authorization" when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers.

Configuration

The application must include Tesla.Middleware.FollowRedirects in its Tesla middleware pipeline.

References:

Identifiers

EEF-CVE-2026-48595

GHSA-9m9w-gxf7-rh8m

CVE-2026-48595

Risk

Severity

High

CVSS

CVSS Score: 8.2

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Source

Erlang Ecosystem Foundation

Origin

Erlef

Repository

https://github.com/elixir-tesla/tesla
View on Ecosyste.ms

Date and time

Published

13 days ago

Updated

12 days ago

API

JSON