SNYK-JS-FOLLOWREDIRECTS-6141137
## Overview Affected versions of this package are vulnerable to Improper Handling of Extra Parameters due to the improper handling of URLs by the `url.parse()` function. When `new URL()` throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches. ## PoC ```js # Case 1 : Bypassing localhost restriction let url = 'http://[localhost]/admin'; try{ new URL(url); // ERROR : Invalid URL }catch{ url.parse(url); // -> http://localhost/admin } # Case 2 : Bypassing domain restriction let url = 'http://attacker.domain*.allowed.domain:a'; try{ new URL(url); // ERROR : Invalid URL }catch{ url.parse(url); // -> http://attacker.domain/*.allowed.domain:a } ``` ## Remediation Upgrade `follow-redirects` to version 1.15.4 or higher. ## References - [GitHub Issue](https://github.com/follow-redirects/follow-redirects/issues/235) - [GitHub PR](https://github.com/follow-redirects/follow-redirects/pull/236)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Dec 31, 2023 CVE Updated
- Jan 1, 2024 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137 advisory
- https://github.com/follow-redirects/follow-redirects/issues/235 issue
- https://github.com/follow-redirects/follow-redirects/pull/236 patch
- http://[localhost technical
- http://localhost/admin technical
- http://attacker.domain*.allowed.domain:a' technical
- http://attacker.domain/*.allowed.domain:a technical