Platform
nodejs
Component
follow-redirects
Fixed in
1.14.7
CVE-2022-0155 describes an information exposure vulnerability in the follow-redirects package. This flaw allows unauthorized actors to potentially access private personal information. This issue affects follow-redirects versions up to and including 1.14.7. Version 1.14.7 addresses this vulnerability.
CVE-2022-0155 in the follow-redirects package exposes private personal information to unauthorized actors through improper handling of redirects. The vulnerability arises when the package, without sufficient validation, follows redirects to domains that are not explicitly trusted. An attacker could craft a malicious URL that initially points to a legitimate site, but then redirects to a server controlled by the attacker. This attacker-controlled server could then serve content designed to extract sensitive information from the user's browser, such as cookies, authentication tokens, or other session data. The blast radius extends to any application utilizing the follow-redirects package and processing user-supplied URLs. This includes web applications, APIs, and any other service that relies on this package to handle redirects. The risk is particularly acute in scenarios where the application handles sensitive user data, such as financial information, healthcare records, or personally identifiable information (PII). An attacker gaining access to this data could use it for identity theft, fraud, or other malicious purposes. The severity is amplified if the application is used in a high-trust environment or processes data subject to regulatory compliance (e.g., GDPR, HIPAA).
Currently, there are no publicly available exploitation reports or proof-of-concept (POC) code for CVE-2022-0155, according to KEV. However, the vulnerability's potential impact – exposure of private personal information – warrants immediate attention. While exploitation hasn't been observed, the ease with which an attacker could craft a malicious redirect chain makes this a high-priority vulnerability to remediate. The absence of public exploits does not diminish the risk; it simply means that exploitation has not yet been publicly disclosed. Given the potential for significant data breaches, organizations should prioritize patching or implementing the recommended workaround as soon as possible. The lack of public exploits may also mean that attackers are exploiting this vulnerability silently, making detection more difficult.
Exploit Status
EPSS
1.30% (80% percentile)
CVSS Vector
To address CVE-2022-0155, immediately upgrade the follow-redirects package to version 1.14.7 or later. This version includes a fix that properly validates redirect targets, preventing the vulnerability. If upgrading is not immediately feasible, a temporary workaround involves implementing strict URL validation and sanitization within your application code before passing URLs to the follow-redirects package. Specifically, verify that the redirect target domain is within a trusted list or matches an expected pattern. This should be done on the server-side to prevent client-side manipulation. Ensure that any URL parsing or manipulation is performed securely to avoid introducing new vulnerabilities. After applying the upgrade or workaround, thoroughly test your application to confirm that redirects are handled correctly and that sensitive information is not exposed. This testing should include scenarios where redirects are present and scenarios where they are absent. Consider using a security scanner to automatically identify potential redirect-related vulnerabilities.
Update the follow-redirects dependency to version 1.14.7 or higher. This corrects the private personal information exposure vulnerability. Run `npm install follow-redirects@latest` or `yarn upgrade follow-redirects@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0155 is a vulnerability in the follow-redirects package that allows unauthorized actors to potentially expose private personal information by improperly handling redirects.
Applications using versions of the follow-redirects package prior to 1.14.7 are potentially affected by this vulnerability.
Upgrade the follow-redirects package to version 1.14.7 or later to resolve this vulnerability.
As of now, there are no publicly available exploitation reports or proof-of-concept code for CVE-2022-0155.
Refer to the National Vulnerability Database (NVD) entry for CVE-2022-0155 at https://nvd.nist.gov/vuln/detail/CVE-2022-0155 for more information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.