CVE-2023-26159 Overview
CVE-2023-26159 is an Improper Input Validation vulnerability affecting the follow-redirects package for Node.js. Versions prior to 1.15.4 are vulnerable due to improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname, allowing attackers to redirect traffic to malicious sites. This weakness could lead to information disclosure, phishing attacks, or other security breaches.
Critical Impact
Attackers can exploit URL parsing inconsistencies to perform open redirect attacks, potentially redirecting users to malicious websites for credential theft or malware distribution.
Affected Products
- follow-redirects (Node.js package) versions before 1.15.4
- Applications using follow-redirects for HTTP redirect handling
- Dependencies relying on follow-redirects (commonly used by axios, request, and other HTTP client libraries)
Discovery Timeline
- 2024-01-02 - CVE-2023-26159 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2023-26159
Vulnerability Analysis
This vulnerability stems from the inconsistent behavior between the legacy url.parse() function and the WHATWG URL constructor in Node.js when handling malformed URLs. The follow-redirects package uses URL parsing to determine redirect destinations, and when certain edge-case URLs cause new URL() to throw an error, the package falls back to url.parse() which may interpret the URL differently—specifically misinterpreting the hostname component.
The security impact allows an attacker to craft a specially formatted URL that passes initial validation but redirects to an unintended destination. This is classified as CWE-20 (Improper Input Validation) and CWE-601 (URL Redirection to Untrusted Site), commonly known as an Open Redirect vulnerability.
Root Cause
The root cause lies in the discrepancy between URL parsing implementations in Node.js. The legacy url.parse() function handles certain malformed URLs differently than the WHATWG URL constructor. When follow-redirects encounters a URL that causes new URL() to throw an exception, it falls back to using url.parse(), which may extract a different hostname from the same URL string. This inconsistency allows attackers to bypass hostname validation checks by crafting URLs that are interpreted differently by each parser.
Attack Vector
The attack is network-based and requires user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious URL that exploits the parsing discrepancy between url.parse() and new URL()
- Embedding this URL in a legitimate-looking link that appears to point to a trusted domain
- When the follow-redirects library processes the redirect chain, it misinterprets the hostname
- The user is ultimately redirected to an attacker-controlled site
This technique is commonly used in phishing campaigns where victims believe they are navigating to a trusted site but are instead redirected to a malicious destination. The attacker can then harvest credentials, distribute malware, or perform other malicious actions while maintaining the appearance of legitimacy.
Detection Methods for CVE-2023-26159
Indicators of Compromise
- Unusual redirect patterns in HTTP traffic where the final destination hostname differs unexpectedly from the initial request
- Web application logs showing redirect chains with malformed or suspicious URLs containing special characters
- User reports of being redirected to unexpected or suspicious websites from trusted applications
- Network traffic analysis revealing connections to known malicious domains following legitimate application requests
Detection Strategies
- Implement dependency scanning using tools like npm audit, Snyk, or OWASP Dependency-Check to identify vulnerable versions of follow-redirects
- Monitor application logs for URL parsing errors or warnings related to the url.parse() function
- Deploy web application firewalls (WAF) configured to detect and block open redirect attack patterns
- Use Software Composition Analysis (SCA) tools to continuously monitor for vulnerable package versions in your codebase
Monitoring Recommendations
- Enable verbose logging for HTTP redirect handling in applications using follow-redirects
- Set up alerts for dependency vulnerability disclosures affecting follow-redirects and related packages
- Monitor outbound network connections from applications for unexpected redirect destinations
- Implement URL validation logging to capture instances where parsed URLs produce unexpected hostnames
How to Mitigate CVE-2023-26159
Immediate Actions Required
- Upgrade follow-redirects to version 1.15.4 or later immediately
- Run npm audit or yarn audit to identify affected projects in your environment
- Review applications for transitive dependencies on follow-redirects (commonly included via axios, request, and other HTTP libraries)
- Implement allowlisting for permitted redirect destinations where feasible
Patch Information
The vulnerability has been addressed in follow-redirects version 1.15.4. The fix ensures consistent URL parsing behavior and properly validates hostnames throughout the redirect process. The patch details are available in the GitHub Pull Request #236. Additional security advisories have been published by Snyk, Fedora, and NetApp.
Workarounds
- Implement strict URL validation before passing URLs to follow-redirects, ensuring consistency between parsing methods
- Configure a maximum redirect limit to reduce exposure to redirect chain attacks
- Use an allowlist of permitted redirect domains to prevent redirects to untrusted hosts
- Consider implementing server-side URL validation that normalizes URLs before processing
# Update follow-redirects to patched version
npm update follow-redirects@1.15.4
# Or force resolution in package.json (npm 8.3+)
# Add to package.json:
# "overrides": {
# "follow-redirects": ">=1.15.4"
# }
# Verify installed version
npm list follow-redirects
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
