chore(deps): @adonisjs/http-server v7.8.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@adonisjs/http-server	7.8.0 → 7.8.1

---

@​adonisjs/http-server has an Open Redirect vulnerability

CVE-2026-40255 / GHSA-6qvv-pj99-48qm

More information

Details

Impact

The response.redirect().back() method in @adonisjs/http-server is vulnerable to open redirects. The method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host. An attacker who can influence the Referer header (for example, by linking a user through an attacker-controlled page before a form submission) can cause the application to redirect users to a malicious external site.

This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back').

The vulnerability is classified as CWE-601: URL Redirection to Untrusted Site ('Open Redirect').

Patches

This has been fixed in @adonisjs/http-server version 8.2.0. The back() method now validates the Referer header's host against the request's own Host header. Referrers from unrecognized hosts are rejected and the redirect falls back to / (or a developer-provided fallback URL).

Applications that operate across multiple domains can configure additional trusted hosts via the redirect.allowedHosts option in config/app.ts.

Users should upgrade to @adonisjs/http-server@^8.2.0 (or @adonisjs/core@^7.4.0 if using the core meta-package).

Workarounds

If upgrading is not immediately possible, avoid using response.redirect().back() in routes that are reachable by unauthenticated users or from pages that accept external traffic. Instead, redirect to a known safe path explicitly using response.redirect().toPath('/dashboard').

References

• CWE-601: URL Redirection to Untrusted Site
• OWASP: Unvalidated Redirects and Forwards

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm
• https://github.com/adonisjs/http-server/commit/2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08
• https://github.com/adonisjs/http-server/releases/tag/v7.8.1
• https://github.com/adonisjs/http-server/releases/tag/v8.2.0
• https://github.com/advisories/GHSA-6qvv-pj99-48qm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

adonisjs/http-server (@​adonisjs/http-server)

v7.8.1: Security fix: open redirect in response.redirect().back()

Compare Source

Fixes an open redirect vulnerability in response.redirect().back() where a crafted Referer header could redirect users to an attacker-controlled destination. The referrer is now validated against the request's Host header and a configurable allowedHosts list; invalid or cross-host referrers fall through to a safe fallback. Backported from 8.x (8.1.3).

response.redirect().back() no longer blindly trusts the Referer header. If the referrer host does not match the request host and is not listed in redirect.allowedHosts, back() now returns the fallback (/ by default). Apps that legitimately redirect back to an external host must add it to allowedHosts.

defineConfig({
  redirect: {
    allowedHosts: [],         // extra hosts accepted as referrers
    forwardQueryString: false // default for .withQs() on redirects
  }
})

Features

• isValidRedirectUrl(url, currentHost?, allowedHosts?) — reusable URL validator (rejects protocol-relative //evil.com, validates absolute URL hosts)
• getPreviousUrl(headers, allowedHosts, fallback) — helper used internally
• request.getPreviousUrl(allowedHosts, fallback?) — exposed on HttpRequest
• redirect.getPreviousUrl(fallback) — exposed on Redirect
• redirect.back(fallback = '/') — back() now accepts a custom fallback
• redirect.withQs(boolean) — overload to explicitly enable/disable query-string forwarding (useful when forwardQueryString: true is set as the default)

Bug Fixes

• prevent open redirect in redirect back via referrer host validation (29cdb1c)

Full Changelog: adonisjs/http-server@v7.8.0...v7.8.1

---

• If you want to rebase/retry this PR, check this box

[github-actions]

Visit the preview URL for this PR (updated for commit 3251775):

https://whatsappapijs--pr509-renovate-npm-adonisj-zhddvy4x.web.app

_{(expires Tue, 21 Apr 2026 20:06:20 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 80a8dc4ceea5c783aae1d47b75797ee5b6c2f4be}