Vulnerability Details : CVE-2023-26159
Potential exploit
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Vulnerability category: Open redirectInput validationInformation leak
Products affected by CVE-2023-26159
- cpe:2.3:a:follow-redirects:follow_redirects:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-26159
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-26159
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | 2024-01-09 |
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
3.9
|
3.4
|
Snyk | 2024-01-02 |
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
N/A
|
N/A
|
RedHat-CVE-2023-26159 | 2024-01-02 |
CWE ids for CVE-2023-26159
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: report@snyk.io (Secondary)
-
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-26159
-
https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137
Improper Input Validation in follow-redirects | CVE-2023-26159 | SnykExploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/
[SECURITY] Fedora 39 Update: pgadmin4-7.8-3.fc39 - package-announce - Fedora Mailing-Lists
-
https://github.com/follow-redirects/follow-redirects/pull/236
Fix bracketed hostnames by RubenVerborgh · Pull Request #236 · follow-redirects/follow-redirects · GitHubIssue Tracking;Patch
-
https://github.com/follow-redirects/follow-redirects/issues/235
[Security Report] hostname spoofing via url.parse in follow-redirects · Issue #235 · follow-redirects/follow-redirects · GitHubExploit;Issue Tracking
Jump to