Open Redirect Affecting @adonisjs/http-server package, versions <7.8.1>=8.0.0-next.0 <8.2.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-ADONISJSHTTPSERVER-16068008
- published15 Apr 2026
- disclosed14 Apr 2026
- creditHarminder Virk
Introduced: 14 Apr 2026
NewCVE-2026-40255 (opens in a new tab)How to fix?
Upgrade @adonisjs/http-server to version 7.8.1, 8.2.0 or higher.
Overview
@adonisjs/http-server is an AdonisJS HTTP server with support packed with Routing and Cookies
Affected versions of this package are vulnerable to Open Redirect via the response.redirect().back() function. An attacker can redirect users to malicious external sites by manipulating the Referer header in HTTP requests.
Workaround
This vulnerability can be mitigated by avoiding the use of response.redirect().back() in routes accessible to unauthenticated users or from pages that accept external traffic, and instead redirecting to a known safe path explicitly using response.redirect().toPath('/dashboard').