PT-2023-8829 · Node.Js+4 · Follow-Redirects+4
Kim Donggyu
·
Published
2023-12-29
·
Updated
2026-06-15
·
CVE-2023-26159
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
follow-redirects versions prior to 1.15.4
Description
The issue is related to the improper handling of URLs by the
url.parse() function in the follow-redirects module of Node.js. This can be exploited by a remote attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches. When new URL() throws an error, it can be manipulated to misinterpret the hostname.Recommendations
For versions prior to 1.15.4, update to version 1.15.4 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the
url.parse() function until a patch is available.
Avoid using the new URL() function with untrusted input until the issue is resolved.Exploit
Fix
Open Redirect
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Bitbucket
Debian
Linuxmint
Ubuntu
Follow-Redirects