Miggo Logo
Miggo Vulnerability Database
CVE-2023-26159

CVE-2023-26159:
Follow Redirects improperly handles URLs in the url.parse() function

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26159
GHSA ID
GHSA-jchw-25xp-jwwc
EPSS Score
0.2427%
CWE
CWE-20
Published
1/2/2024
Updated
1/31/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
follow-redirectsnpm< 1.15.41.15.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key functions: 1) The request function's fallback to url.parse() after failed URL validation created an injection vector for malformed hostnames. 2) parseUrl's direct use of url.parse() without bracket validation allowed IP/domain spoofing. The patch added hostname validation (validateUrl) and removed url.parse() fallbacks, confirming these were the vulnerable paths. Commit 7a6567e specifically modified these areas to address CVE-2023-26159.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** *ollow-r**ir**ts ***or* *.**.* *r* vuln*r**l* to Improp*r Input V*li**tion *u* to t** improp*r **n*lin* o* URLs *y t** url.p*rs*() *un*tion. W**n n*w URL() t*rows *n *rror, it **n ** m*nipul*t** to misint*rpr*t t** *ostn*m*. *

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *un*tions: *) T** r*qu*st *un*tion's **ll***k to `url.p*rs*()` **t*r **il** URL v*li**tion *r**t** *n inj**tion v**tor *or m*l*orm** *ostn*m*s. *) `p*rs*Url`'s *ir**t us* o* `url.p*rs*()` wit*out *r**k*t v*li**t