PT-2023-8829 · Node.Js+4 · Follow-Redirects+4
Kim Donggyu
·
Publicado
2023-12-29
·
Atualizado
2026-06-15
·
CVE-2023-26159
CVSS v2.0
7.5
Alta
| Vetor | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
follow-redirects versions prior to 1.15.4
Description
The issue is related to the improper handling of URLs by the
url.parse() function in the follow-redirects module of Node.js. This can be exploited by a remote attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches. When new URL() throws an error, it can be manipulated to misinterpret the hostname.Recommendations
For versions prior to 1.15.4, update to version 1.15.4 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the
url.parse() function until a patch is available.
Avoid using the new URL() function with untrusted input until the issue is resolved.Exploit
Correção
Open Redirect
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Bitbucket
Debian
Linuxmint
Ubuntu
Follow-Redirects