GHSA-9M9W-GXF7-RH8M
Vulnerability from github – Published: 2026-07-10 00:03 – Updated: 2026-07-10 00:03Summary
Tesla.Middleware.FollowRedirects is meant to strip the Authorization header when following a cross-origin redirect, but performs the check with a case-sensitive comparison against the lowercase string "authorization". Because Tesla preserves header keys exactly as supplied by the caller, any application that sets the header with its RFC 7235 canonical casing ("Authorization") bypasses the filter entirely, leaking bearer tokens or other credentials to whatever origin the redirect points at.
Details
The filter list in lib/tesla/middleware/follow_redirects.ex is defined as @filter_headers ["authorization", "host"] and the membership check k not in @filter_headers compares the raw key string without case normalization. HTTP header names are case-insensitive per RFC 7230, but Tesla stores them verbatim. A header tuple {"Authorization", "Bearer …"} does not match "authorization", so it passes through the filter and is forwarded to the redirect destination unchecked. The same defect applies to the "Host" entry.
An attacker who can control a Location: response seen by the victim client (their own endpoint, a redirect-open service, or a compromised upstream) receives the credential on the cross-origin follow. No special configuration is required beyond the victim using the standard header casing.
PoC
- Configure a Tesla client with
Tesla.Middleware.FollowRedirectsand set theAuthorizationheader using canonical casing ({"Authorization", "Bearer <token>"}). - Make a request to an endpoint that returns a
302redirect to a different origin. - Observe that the
Authorizationheader with its value is present in the request delivered to the redirect destination.
Impact
High severity (CVSS v4.0: 8.2). Any application using tesla 1.4.0 through 1.18.2 with Tesla.Middleware.FollowRedirects and a non-lowercase Authorization header is affected. The workaround is to use all-lowercase "authorization" as the header key until upgrading to 1.18.3.
Workarounds
Normalize all header keys to lowercase before passing them to Tesla. Use "authorization" instead of "Authorization" when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers.
Resources
- Introduction commit: https://github.com/elixir-tesla/tesla/commit/2d937d5813d7cda5cd726f41824985fb655c920f
- Patch commit: https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "tesla"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "1.18.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48595"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T00:03:31Z",
"nvd_published_at": "2026-06-02T20:16:38Z",
"severity": "HIGH"
},
"details": "### Summary\n\n`Tesla.Middleware.FollowRedirects` is meant to strip the `Authorization` header when following a cross-origin redirect, but performs the check with a case-sensitive comparison against the lowercase string `\"authorization\"`. Because Tesla preserves header keys exactly as supplied by the caller, any application that sets the header with its RFC 7235 canonical casing (`\"Authorization\"`) bypasses the filter entirely, leaking bearer tokens or other credentials to whatever origin the redirect points at.\n\n### Details\n\nThe filter list in `lib/tesla/middleware/follow_redirects.ex` is defined as `@filter_headers [\"authorization\", \"host\"]` and the membership check `k not in @filter_headers` compares the raw key string without case normalization. HTTP header names are case-insensitive per RFC 7230, but Tesla stores them verbatim. A header tuple `{\"Authorization\", \"Bearer \u2026\"}` does not match `\"authorization\"`, so it passes through the filter and is forwarded to the redirect destination unchecked. The same defect applies to the `\"Host\"` entry.\n\nAn attacker who can control a `Location:` response seen by the victim client (their own endpoint, a redirect-open service, or a compromised upstream) receives the credential on the cross-origin follow. No special configuration is required beyond the victim using the standard header casing.\n\n### PoC\n\n1. Configure a Tesla client with `Tesla.Middleware.FollowRedirects` and set the `Authorization` header using canonical casing (`{\"Authorization\", \"Bearer \u003ctoken\u003e\"}`).\n2. Make a request to an endpoint that returns a `302` redirect to a different origin.\n3. Observe that the `Authorization` header with its value is present in the request delivered to the redirect destination.\n\n### Impact\n\nHigh severity (CVSS v4.0: 8.2). Any application using `tesla` 1.4.0 through 1.18.2 with `Tesla.Middleware.FollowRedirects` and a non-lowercase `Authorization` header is affected. The workaround is to use all-lowercase `\"authorization\"` as the header key until upgrading to 1.18.3.\n\n### Workarounds\n\nNormalize all header keys to lowercase before passing them to Tesla. Use `\"authorization\"` instead of `\"Authorization\"` when setting headers via `Tesla.put_header/3` or `Tesla.Middleware.Headers`.\n\n### Resources\n\n* Introduction commit: https://github.com/elixir-tesla/tesla/commit/2d937d5813d7cda5cd726f41824985fb655c920f\n* Patch commit: https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182",
"id": "GHSA-9m9w-gxf7-rh8m",
"modified": "2026-07-10T00:03:31Z",
"published": "2026-07-10T00:03:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48595"
},
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-48595.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/elixir-tesla/tesla"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48595"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Tesla: Authorization header leaks on cross-origin redirect via case-sensitive filtering"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.