From 66c792e60ea2d9857bd130d18fd70d15ce6d3629 Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Tue, 16 Jun 2026 13:37:05 -0400
Subject: [PATCH] GH/SYNC: 1 new excon advisory

---
 gems/excon/CVE-2026-54171.yml | 43 +++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 gems/excon/CVE-2026-54171.yml

diff --git a/gems/excon/CVE-2026-54171.yml b/gems/excon/CVE-2026-54171.yml
new file mode 100644
index 0000000000..ec8d6814f9
--- /dev/null
+++ b/gems/excon/CVE-2026-54171.yml
@@ -0,0 +1,43 @@
+---
+gem: excon
+cve: 2026-54171
+ghsa: 48rx-c7pg-q66r
+url: https://www.cve.org/CVERecord?id=CVE-2026-54171
+title: redact additional sensitive/risky headers when following redirects
+date: 2026-06-03
+description: |
+  ## Impact
+
+  The redirect follower middleware previously failed to strip a number of
+  headers that are known to be sensitive and did not provide a way to
+  provide a custom list of headers to strip.
+
+  ## What kind of vulnerability is it? Who is impacted?
+
+  This could cause inadvertent leakage of sensitive data for users of the
+  RedirectFollower middleware in cases where the initial request includes
+  header information that is not intended for the new target.
+
+  ## Patches
+
+  Patch exists and is released in v1.5.0
+
+  ## Workarounds
+
+  Users can backport the fix (commit below) to a custom
+  redirect follower middleware.
+cvss_v3: 6.5
+patched_versions:
+  - ">= 1.5.0"
+related:
+  url:
+    - https://www.cve.org/CVERecord?id=CVE-2026-54171
+    - https://rubygems.org/gems/excon/versions/1.5.0
+    - https://github.com/excon/excon/releases/tag/v1.5.0
+    - https://github.com/excon/excon/blob/master/changelog.txt
+    - https://github.com/excon/excon/pull/901
+    - https://github.com/excon/excon/commit/ea89a35308a12f4b791b6c50f2cbd33f94889fa3
+    - https://github.com/excon/excon/security/advisories/GHSA-48rx-c7pg-q66r
+notes: |
+  - Use GHSA as cvss_v3.
+  - CVE-2026-54171 is reserved, not published.