Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged
Permalink CVE-2026-48856
7.1 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 2 weeks ago Activity log
  • Created suggestion 2 weeks ago
httpc leaks Authorization header to cross-origin redirect targets

Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.

Affected products

inets
  • *
erlang/otp
  • *
  • <688d748d6f7a6a06b13b662a1d3de8af97079612

Matching in nixpkgs

pkgs.cotp

Trustworthy, encrypted, command-line TOTP/HOTP authenticator app with import functionality

pkgs.otpw

One-time password login package

  • nixos-unstable 1.5
    • nixpkgs-unstable 1.5
    • nixos-unstable-small 1.5
  • nixos-26.05 1.5
    • nixos-26.05-small 1.5
    • nixpkgs-26.05-darwin 1.5

pkgs.libcotp

C library that generates TOTP and HOTP

pkgs.otpauth

Google Authenticator migration decoder

pkgs.hotpatch

Hot patching executables on Linux using .so file injection

  • nixos-unstable 0.2
    • nixpkgs-unstable 0.2
    • nixos-unstable-small 0.2
  • nixos-26.05 0.2
    • nixos-26.05-small 0.2
    • nixpkgs-26.05-darwin 0.2

pkgs.totp-cli

Authy/Google Authenticator like TOTP CLI tool written in Go

pkgs.otpclient

Highly secure and easy to use OTP client written in C/GTK that supports both TOTP and HOTP

pkgs.tpm2-totp

Attest the trustworthiness of a device against a human using time-based one-time passwords

pkgs.godotpcktool

Standalone tool for extracting and creating Godot .pck files

  • nixos-unstable 2.2
    • nixpkgs-unstable 2.2
    • nixos-unstable-small 2.2
  • nixos-26.05 2.2
    • nixos-26.05-small 2.2
    • nixpkgs-26.05-darwin 2.2

pkgs.nitrotpm-tools

Collection of utilities for working with NitroTPM attestation

pkgs.gnomeExtensions.totp

Generate One-Time Passwords (aka OTP, both TOTP and HOTP) for websites that use Two-Factor Authentication (2FA) like Google, Facebook, Discord, Amazon, Steam, etc.

  • nixos-unstable 54
    • nixpkgs-unstable 54
    • nixos-unstable-small 54
  • nixos-26.05 54
    • nixos-26.05-small 54
    • nixpkgs-26.05-darwin 54

pkgs.gnomeExtensions.bootpaper

Randomly selects a new wallpaper on startup from local folder

  • nixos-unstable 6
    • nixpkgs-unstable 6
    • nixos-unstable-small 6
  • nixos-26.05 6
    • nixos-26.05-small 6
    • nixpkgs-26.05-darwin 6

Package maintainers