CVE-2023-26159 (GCVE-0-2023-26159)

Vulnerability from cvelistv5 – Published: 2024-01-02 05:00 – Updated: 2025-11-03 21:47
VLAI
Summary
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Severity
7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-20 - Improper Input Validation
  • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
Vendor Product Version
n/a follow-redirects Affected: 0 , < 1.15.4 (semver)
Credits
Kim Donggyu
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:47:30.161Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/follow-redirects/follow-redirects/issues/235"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/follow-redirects/follow-redirects/pull/236"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-26159",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-09T18:34:28.261000Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-601",
                "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T18:37:41.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "follow-redirects",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "1.15.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Kim Donggyu"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "Improper Input Validation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-23T03:06:22.806Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137"
        },
        {
          "url": "https://github.com/follow-redirects/follow-redirects/issues/235"
        },
        {
          "url": "https://github.com/follow-redirects/follow-redirects/pull/236"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2023-26159",
    "datePublished": "2024-01-02T05:00:00.659Z",
    "dateReserved": "2023-02-20T10:28:48.931Z",
    "dateUpdated": "2025-11-03T21:47:30.161Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-26159",
      "date": "2026-06-22",
      "epss": "0.00797",
      "percentile": "0.51664"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:follow-redirects:follow_redirects:*:*:*:*:*:node.js:*:*\", \"versionEndExcluding\": \"1.15.4\", \"matchCriteriaId\": \"5E9B14E8-F184-4F4C-8275-8FE1D093D258\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.\"}, {\"lang\": \"es\", \"value\": \"Las versiones del paquete follow-redirects anteriores a la 1.15.4 son vulnerables a una validaci\\u00f3n de entrada incorrecta debido al manejo inadecuado de las URL por parte de la funci\\u00f3n url.parse(). Cuando la nueva URL() arroja un error, se puede manipular para malinterpretar el nombre de host. Un atacante podr\\u00eda aprovechar esta debilidad para redirigir el tr\\u00e1fico a un sitio malicioso, lo que podr\\u00eda provocar la divulgaci\\u00f3n de informaci\\u00f3n, ataques de phishing u otras violaciones de seguridad.\"}]",
      "id": "CVE-2023-26159",
      "lastModified": "2024-11-21T07:50:54.353",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2024-01-02T05:15:08.630",
      "references": "[{\"url\": \"https://github.com/follow-redirects/follow-redirects/issues/235\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Issue Tracking\"]}, {\"url\": \"https://github.com/follow-redirects/follow-redirects/pull/236\", \"source\": \"report@snyk.io\", \"tags\": [\"Issue Tracking\", \"Patch\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\", \"source\": \"report@snyk.io\"}, {\"url\": \"https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/follow-redirects/follow-redirects/issues/235\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\"]}, {\"url\": \"https://github.com/follow-redirects/follow-redirects/pull/236\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "report@snyk.io",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-601\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-26159\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2024-01-02T05:15:08.630\",\"lastModified\":\"2025-11-03T22:16:05.953\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.\"},{\"lang\":\"es\",\"value\":\"Las versiones del paquete follow-redirects anteriores a la 1.15.4 son vulnerables a una validaci\u00f3n de entrada incorrecta debido al manejo inadecuado de las URL por parte de la funci\u00f3n url.parse(). Cuando la nueva URL() arroja un error, se puede manipular para malinterpretar el nombre de host. Un atacante podr\u00eda aprovechar esta debilidad para redirigir el tr\u00e1fico a un sitio malicioso, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n, ataques de phishing u otras violaciones de seguridad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:follow-redirects:follow_redirects:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.15.4\",\"matchCriteriaId\":\"5E9B14E8-F184-4F4C-8275-8FE1D093D258\"}]}]}],\"references\":[{\"url\":\"https://github.com/follow-redirects/follow-redirects/issues/235\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/follow-redirects/follow-redirects/pull/236\",\"source\":\"report@snyk.io\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\",\"source\":\"report@snyk.io\"},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/follow-redirects/follow-redirects/issues/235\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/follow-redirects/follow-redirects/pull/236\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20241108-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/follow-redirects/follow-redirects/issues/235\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/follow-redirects/follow-redirects/pull/236\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20241108-0002/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T21:47:30.161Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-26159\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-01-09T18:34:28.261000Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-17T18:37:36.035Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Kim Donggyu\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"follow-redirects\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.15.4\", \"versionType\": \"semver\"}]}], \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\"}, {\"url\": \"https://github.com/follow-redirects/follow-redirects/issues/235\"}, {\"url\": \"https://github.com/follow-redirects/follow-redirects/pull/236\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-20\", \"description\": \"Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"shortName\": \"snyk\", \"dateUpdated\": \"2024-01-23T03:06:22.806Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-26159\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T21:47:30.161Z\", \"dateReserved\": \"2023-02-20T10:28:48.931Z\", \"assignerOrgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"datePublished\": \"2024-01-02T05:00:00.659Z\", \"assignerShortName\": \"snyk\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.