CVE-2023-26159Improper Input Validation in Project Follow-redirects

CWE-20Improper Input ValidationCWE-601Open Redirect8 documents7 sources
Severity
6.1MEDIUMNVD
CNA7.3
EPSS
0.1%
top 72.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Follow-redirects Project Follow-redirectsFollow-redirects Follow Redirects
Timeline
PublishedJan 2
Latest updateJan 9

Description

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
CVEList
CVE-2023-26159: Versions of the package follow-redirects before 12024-01-02
OSV
Follow Redirects improperly handles URLs in the url.parse() function2024-01-02
GHSA
Follow Redirects improperly handles URLs in the url.parse() function2024-01-02
OSV
CVE-2023-26159: Versions of the package follow-redirects before 12024-01-02

📋Vendor Advisories

3
Microsoft
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error it c2024-01-09
Red Hat
follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()2024-01-02
Debian
CVE-2023-26159: node-follow-redirects - Versions of the package follow-redirects before 1.15.4 are vulnerable to Imprope...2023
CVE-2023-26159 — Improper Input Validation | cvebase