CVE-2023-26159

follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Las versiones del paquete follow-redirects anteriores a la 1.15.4 son vulnerables a una validación de entrada incorrecta debido al manejo inadecuado de las URL por parte de la función url.parse(). Cuando la nueva URL() arroja un error, se puede manipular para malinterpretar el nombre de host. Un atacante podría aprovechar esta debilidad para redirigir el tráfico a un sitio malicioso, lo que podría provocar la divulgación de información, ataques de phishing u otras violaciones de seguridad.

An Improper Input Validation flaw was found in follow-redirects due to the improper handling of URLs by the url.parse() function. When a new URL() throws an error, it can be manipulated to misinterpret the hostname. This issue could allow an attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

*Credits: Kim Donggyu

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-02-20 CVE Reserved
2024-01-02 CVE Published
2024-01-10 EPSS Updated
2024-08-02 CVE Updated
2024-08-02 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CAPEC

References (6)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM

URL	Date	SRC
https://github.com/follow-redirects/follow-redirects/issues/235	2024-08-02
https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137	2024-08-02

URL	Date	SRC
https://github.com/follow-redirects/follow-redirects/pull/236	2024-01-23

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-26159	2024-06-20
https://bugzilla.redhat.com/show_bug.cgi?id=2256413	2024-06-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Follow-redirects Search vendor "Follow-redirects"		Follow Redirects Search vendor "Follow-redirects" for product "Follow Redirects"				< 1.15.4 Search vendor "Follow-redirects" for product "Follow Redirects" and version " < 1.15.4"		node.js		Affected