Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
References
Link | Resource |
---|---|
https://github.com/follow-redirects/follow-redirects/issues/235 | Exploit Issue Tracking |
https://github.com/follow-redirects/follow-redirects/pull/236 | Issue Tracking Patch |
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/ | |
https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137 | Exploit Third Party Advisory |
Configurations
History
23 Jan 2024, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Jan 2024, 18:20
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/follow-redirects/follow-redirects/issues/235 - Exploit, Issue Tracking | |
References | () https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137 - Exploit, Third Party Advisory | |
References | () https://github.com/follow-redirects/follow-redirects/pull/236 - Issue Tracking, Patch | |
CWE | CWE-601 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
First Time |
Follow-redirects follow Redirects
Follow-redirects |
|
CPE | cpe:2.3:a:follow-redirects:follow_redirects:*:*:*:*:*:node.js:*:* |
02 Jan 2024, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-02 05:15
Updated : 2024-02-28 20:54
NVD link : CVE-2023-26159
Mitre link : CVE-2023-26159
CVE.ORG link : CVE-2023-26159
JSON object : View
Products Affected
follow-redirects
- follow_redirects