CVE-2023-26159
Improper Input Validation vulnerability in follow-redirects (npm)
What is CVE-2023-26159 About?
This vulnerability in `follow-redirects` versions prior to 1.15.4 is due to improper URL handling by the `url.parse()` function. It enables attackers to manipulate URL parsing errors to misinterpret hostnames and redirect traffic. This can lead to severe consequences like information disclosure or phishing attacks, and its exploitation requires crafting specific malicious URLs.
Affected Software
Technical Details
The vulnerability stems from improper input validation within the url.parse() function in the follow-redirects package. When new URL() throws an error during URL parsing, the faulty error handling allows for manipulation, causing the system to misinterpret the hostname of the redirect target. An attacker can craft a URL that, when processed by a vulnerable version of follow-redirects, triggers this error path. This misinterpretation means that instead of redirecting to the legitimate target, the traffic is illicitly diverted to an attacker-controlled endpoint. The attack vector involves supplying a specially crafted URL that the follow-redirects package will process.
What is the Impact of CVE-2023-26159?
Successful exploitation may allow attackers to redirect users to malicious websites, leading to information disclosure, session hijacking, credential harvesting via phishing, or the delivery of malware.
What is the Exploitability of CVE-2023-26159?
Exploitation requires crafting a specific, malformed URL that triggers the improper handling within the url.parse() function. The complexity is moderate, as intricate knowledge of URL parsing and error handling within the vulnerable library is needed. There are no explicit authentication or privilege requirements to initiate the attack; an attacker merely needs to present the crafted URL to a system using the vulnerable follow-redirects version in a context where redirects are followed. This is a remote exploitation scenario, typically delivered via a malicious link or a compromised legitimate site. The special condition is the reliance on the error path of new URL() to misinterpret the hostname. Risk factors increase if applications frequently process external, untrusted URLs or blindly follow redirects without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26159?
About the Fix from Resolved Security
This patch adds strict validation for bracketed IPv4 addresses by rejecting malformed hostnames like [127.0.0.1], which are only valid for IPv6, and ensures consistent, correct parsing and handling of URLs during redirects and requests. It fixes CVE-2023-26159 by preventing requests and redirects to syntactically invalid or ambiguous addresses, thereby eliminating potential security issues such as SSRF or incorrect routing that could be exploited with specially crafted URLs.
Available Upgrade Options
- follow-redirects
- <1.15.4 → Upgrade to 1.15.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/follow-redirects/follow-redirects
- https://nvd.nist.gov/vuln/detail/CVE-2023-26159
- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d
- https://github.com/follow-redirects/follow-redirects/pull/236
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/
- https://osv.dev/vulnerability/GHSA-jchw-25xp-jwwc
- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137
- https://github.com/follow-redirects/follow-redirects/issues/235
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM
- https://github.com/follow-redirects/follow-redirects/issues/235
What are Similar Vulnerabilities to CVE-2023-26159?
Similar Vulnerabilities: CVE-2023-29363 , CVE-2023-35930 , CVE-2023-26116 , CVE-2023-37903 , CVE-2023-37905
