Improper Handling of Extra Parameters

[well-monkey]

Package Manager: npm
Vulnerable module: follow-redirects
Introduced through: t, webpack-dev-server@5.2.0 and others
Detailed paths
Introduced through: › webpack-dev-server@5.2.0 › http-proxy-middleware@2.0.7 › http-proxy@1.18.1 › follow-redirects@1.15.2
Overview
Affected versions of this package are vulnerable to Improper Handling of Extra Parameters due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

PoC

Case 1 : Bypassing localhost restriction

    let url = 'http://[localhost]/admin';
    try{
        new URL(url); // ERROR : Invalid URL
    }catch{
        url.parse(url); // -> http://localhost/admin
    }
    
    # Case 2 : Bypassing domain restriction
    let url = 'http://attacker.domain*.allowed.domain:a';
    try{
        new URL(url); // ERROR : Invalid URL
    }catch{
        url.parse(url); // -> http://attacker.domain/*.allowed.domain:a
    }

Remediation
Upgrade follow-redirects to version 1.15.4 or higher.