VDB

SNYK-JS-FOLLOWREDIRECTS-6141137

SNYK-JS-FOLLOWREDIRECTS-6141137 PUBLISHED CVSS 7.300000190734863 HIGH

## Overview Affected versions of this package are vulnerable to Improper Handling of Extra Parameters due to the improper handling of URLs by the `url.parse()` function. When `new URL()` throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches. ## PoC ```js # Case 1 : Bypassing localhost restriction let url = 'http://[localhost]/admin'; try{ new URL(url); // ERROR : Invalid URL }catch{ url.parse(url); // -> http://localhost/admin } # Case 2 : Bypassing domain restriction let url = 'http://attacker.domain*.allowed.domain:a'; try{ new URL(url); // ERROR : Invalid URL }catch{ url.parse(url); // -> http://attacker.domain/*.allowed.domain:a } ``` ## Remediation Upgrade `follow-redirects` to version 1.15.4 or higher. ## References - [GitHub Issue](https://github.com/follow-redirects/follow-redirects/issues/235) - [GitHub PR](https://github.com/follow-redirects/follow-redirects/pull/236)

Risk Scores

CVSS 3.1
7.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

Affected Products

VendorProductVersions
0

Timeline

  • Dec 31, 2023 CVE Updated
  • Jan 1, 2024 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›