CVE-2023-26159: 
JavaScript vulnerability analysis and mitigation

CVE-2023-26159 affects the follow-redirects package versions before 1.15.4. The vulnerability is related to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. This vulnerability was discovered and reported on December 29, 2023, and was disclosed on December 31, 2023 (GitHub Issue, Snyk Advisory).

The vulnerability occurs in the request function when parsing URL parameters. When new URL() throws an error due to invalid URL format, the code falls back to using the deprecated url.parse() function, which has a known hostname spoofing vulnerability. This fallback mechanism can be exploited to manipulate how hostnames are interpreted. The vulnerability has received a CVSS v3.1 base score of 7.3 (HIGH) from Snyk and 6.1 (MEDIUM) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Snyk Advisory, NVD).

An attacker could exploit this vulnerability to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches. The vulnerability can be used to bypass hostname restrictions and perform hostname spoofing, which may result in SSRF (Server-Side Request Forgery) attacks (GitHub Issue, Snyk Advisory).

The recommended mitigation is to upgrade follow-redirects to version 1.15.4 or higher. The fix was implemented through a pull request that removes the usage of the deprecated url.parse() function and implements proper handling of bracketed hostnames (GitHub PR).