Fluid Attacks Database

Description

Follow Redirects improperly handles URLs in the url.parse() function Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-follow-redirects	=1.15.11+~1.14.4-1 \|\| =1.15.11+~1.14.4-2 \|\| =1.15.2+~1.14.1-1 \|\| =1.15.3+~1.14.2-1 \|\| =1.15.6+~1.14.4-1 \|\| =1.15.6+~1.14.4-2 \|\| =1.15.9+~1.14.4-1 \|\| =1.16.0+~1.14.4-1	-
npm	follow-redirects	>=0 <1.15.4	1.15.4
debian 11	node-follow-redirects	=1.13.1-1 \|\| =1.13.1-1+deb11u1 \|\| =1.14.5-1 \|\| =1.14.7+~1.13.1-1 \|\| =1.14.8+~1.14.0-1 \|\| =1.14.9+~1.14.1-1 \|\| =1.14.9+~1.14.1-2 \|\| =1.14.9+~1.14.1-3 \|\| =1.15.1+~1.14.1-1 \|\| =1.15.1+~1.14.1-2 \|\| =1.15.1+~1.14.1-3 \|\| =1.15.11+~1.14.4-1 \|\| =1.15.11+~1.14.4-2 \|\| =1.15.2+~1.14.1-1 \|\| =1.15.3+~1.14.2-1 \|\| =1.15.6+~1.14.4-1 \|\| =1.15.6+~1.14.4-2 \|\| =1.15.9+~1.14.4-1 \|\| =1.16.0+~1.14.4-1	-
debian 13	node-follow-redirects	>=0 <1.15.6+~1.14.4-1	1.15.6+~1.14.4-1
debian 14	node-follow-redirects	>=0 <1.15.6+~1.14.4-1	1.15.6+~1.14.4-1

Aliases

1. CVE-2023-261592. NVD-2023-261593. OSV-DEBIAN-2023-261594. OSV-2023-261595. GCVE-2023-261596. SECURITY-TRACKER-CVE-2023-26159

References

1. https://github.com/follow-redirects/follow-redirects/issues/2352. https://github.com/follow-redirects/follow-redirects/pull/2363. https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d4. https://lists.fedoraproject.org/archives/list/[email protected]/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM5. https://security.netapp.com/advisory/ntap-20241108-0002

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.