Azure Linux Attestation and CVE-2023-26159 Follow Redirects Explained

Microsoft’s short public mapping that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate for the Azure Linux images Microsoft inspected — but it is not a technical guarantee that no other Microsoft product can or does include the same vulnerable Node.js package. //archive.ph/2025.12.07-190050/https%3A/msrc.microsoft.com/update-guide/vulnerability/CVE-2024-45336)

Background / Overview​

The vulnerability tracked as CVE‑2023‑26159 affects the widely used Node.js package follow-redirects in versions prior to 1.15.4 (and related transitive versions reported subsequently). The root cause is improper input validation in the package’s URL-handling logic: when the code path that relies on the platform URL parser throws, follow-redirects could misinterpret the hostname of a redirect target and follow or return a redirect to a host other than the one intended by the original URL. Exploitation enables an attacker to craft URLs that cause a vulnerable consumer to follow redirects to attacker-controlled endpoints, enabling phishing-like redirection, credential exposure or information leakage in some contexts.
Microsoft’s advisory language — the sentence quoted above — is a deliberate product‑scoped attestation that matters operationally: it tells Azure Linux users to treat the package as in‑scope for remediation and to expect machine‑readable attestations from Microsoft (CSAF/VEX) describing exploitability status and product mappings. Microsoft has also said it will update CVE mappings if impact to additional products is identified.
This article explains what that wording actually means, why it’s useful but not exclusive, how the vulnerability works in practice, and what defenders — whether they run Azure Linux, other Microsoft artifacts, or mixed estates — should do now.

---

What the vulnerability actually is (technical summary)​

How follow-redirects parses and follows URLs​

• follow-redirects is a small helper library used by many Node.js HTTP clients (including popular higher‑level libraries such as axios) to transparently follow HTTP(S) redirects.
• It relies on Node platform URL parsing APIs (e.g., the WHATWG URL constructor and the legacy url.parse()) and implements logic to resolve relative redirects against the original location and to control which headers are forwarded across cross‑domain redirects.

The failure mode​

• Under certain malformed input conditions, new URL() throws an error or the legacy parser enters an exceptional branch.
• The follow-redirects error-handling logic did not sufficiently guard the hostname/host resolution in that error path, allowing an attacker‑controlled input to be interpreted such that the effective redirect host becomes attacker-controlled rather than the legitimate target.
• The net result: an application that blindly follows redirects using a vulnerable follow-redirects version can be coerced into making requests to an attacker-controlled host or redirecting users there, producing possible credential leakage, token exposure, phishing redirections, or information disclosure depending on how the application consumes the redirect output.

Confirmed fixed versions and variant advisories​

• Upstream follow-redirects maintainers published fixes and version bumps to harden parsing and header handling. Vendors and distribution advisories list slightly different fixed version numbers due to packaging differences (for example, distribution-maintained package versions may be offset), but the upstream guidance is to upgrade to at least the patched line (the package line beginning at 1.15.4+ with later vendor follow-ups). Community vulnerability databases and maintainers (Snyk, NVD/CVEdetails, advisory trackers) independently document the issue and the recommended fixed versions.

---

What Microsoft’s Azure Linux statement means — and what it does not mean​

Read the sentettestation​

When Microsoft’s Security Response Center (MSRC) writes that “Azure Linux includes this open‑source library and is therefore potentially affected,” it is:

• A precise, product‑scoped assertion: Microsoft checked Azure Linux images (the distribution it builds and publishes) and found instances of the implicated component. Azure Linux customers should act on that information.
• A practical triage signal: MSRC’s attestation narrows immediate remediation priority to the named product so operations teams can act quickly where Microsoft has confirmed exposure.

But it is not an exclusivity guarantee​

• The sentence does not mean Microsoft exhaustively scanned every Microsoft product and confirmed that only Azure Linux contains follow-redirects. Microsoft explicitly framed the attestation as the scope of the inventory it completed and pledged to update the CVE/VEX mapping if more products are later identified. That is a process statement, not a proof of uniqueness.
• A single product attestation is common practice: vendors will often publish immediate findings for a product they have inspected, then roll out machine-readable VEX/CSAF attestations for more products over time. Microsoft began publishing CSAF/VEX attestations as part of a transparency effort and will expand the coverage iteratively.

Practical implication for defenders​

• If you run Azure Linux images: treat the MSRC attestation as authoritative and remediate first. Patch or rebuild with fixed follow-redirects versions.
• If you run other Microsoft artifacts (WSL kernels, Azure agents, Azure services’ containers, developer tools or commercial products): do not assume they are unaffected simply because they are not named. Until Microsoft publishes a “Not Affected” or “Fixed” VEX entry for those products, you should treat them as unverified and perform artifact-level discovery.

---

Why other Microsoft products could also be affected (realistic pathways)​

It is technically feasible for many Microsoft artifacts to contain the same vulnerable package or code path. A few concrete reasons:

• Transitive dependencies: follow-redirects is commonly pulled in transitively (for example, via axios or other HTTP client stacks). Any product that bundles JavaScript packages or ships Node-based tooling could include follow-redirects without being obvious from top-level manifests.
• Bundled or embedded modules: some applications and installers embed Node modules into larger binaries or pack them into static archives; source-level dependency checks can miss such occurrences unless artifacts are unpacked and scanned.
• Container images and agents: cloud services, agent-based telemetry, CI runners, and containerized microservices often include multiple layered pcontainer image, management agent, or internal CI image could include follow-redirects as a transitive dependency.
• Third-party components used by Microsoft products: Microsoft products and services sometimes incorporate upstream open‑source components or vendor-supplied third‑party packages that themselves pull follow-redirects.

Each pathway is a plausible cause for the same vulnerability to appear in more than one product; the only way to be certain for a given product is an artifact-level inventory or Microsoft’s VEX attestation for that product.

---

Verification and triage: a step‑by‑step playbook for security teams​

If your environment includes Microsoft images, services, or distributed artifacts, follow this prioritized checklist:

1. Prioritize Azure Linux images first
   • Apply vendor updates for Azure Linux images or rebuild images using updated package sets.
   • Reboot / redeploy where necessary to ensure running instances are replaced with patched images.
2. Search your source and artifact stores for follow-redirects occurrences
   • Code-level search (package.json, yarn.lock, package-lock.json) for “follow-redirects” or for libraries known to depend on it (e.g., axios).
   • Binary/artifact unpacking: scan built archives, packaged installers and container image layers with a software composition analysis (SCA) tool that inspects transitive dependencies.
   • Don’t forget vendor-supplied or third‑party code your teams consume.
3. Scan all container images and build pipelines
   • Ensure CI pipelines resolve to fixed transitive versions; update base images and rebuild.
   • For containers running in cloud services, replace running containers with rebuilt images containing the fixed follow-redirects version.
4. Check for bundled or embedded modules
   • Use unpack-and-scan tools to inspect installers, packaged executables, or tarballs that may carry Node modules baked in.
   • If an application embeds a Node runtime or bundles node_modules, updating the embedded module may require rebuilding the application.
5. Patch and/or upgrade
   • Upgrade follow-redirects to the fixed line in every artifact where it appears, or upgrade the higher-level package (e.g., axios) to a release that pulls the fixed follow-redirects, then rebuild and redeploy.
6. Mitigate when immediate patching is infeasible
   • Implement input validation and strict redirect-handling on the application layer: do not blindly follow external redirects without validating the destination host against allow-lists or applying normalization.
   • Where possible, avoid following redirects automatically for high-sensitivity flows (authentication endpoints, proxy-auth headers, or token exchange flows).
7. Ingest VEX/CSAF attestations once published
   • Microsoft’s VEX/CSAF outputs can be consumed by automation to mark products as “Known Affected”, “Fixed”, or “Not Affected”. Subscribe to Microsoft’s machine‑readable feeds and combine them with your internal inventory.

---

Detection: how to spot exploitation or risky behavior​

• Log and monitor outgoing HTTP(S) requests from services that follow redirects. Look for:
  • Unexpected hostnames reached as a result of redirects.
  • Requests that switch from a trusted domain to a previously unseen external host after a redirect.
• Audit user-facing links and redirect flows in web applications to ensure they do not perform authentication or credential-forwarding across untrusted domains.
• Review proxy logs for unexpected forwarding of proxy-authentication headers across domain boundaries — prior related follow-redirects issues involved header leakage scenarios.
  governance: inventory, VEX, and vendor attestations

Microsoft’s shift to publish CSAF/VEX attestations for Azure Linux and a roadmap to expand VEX coverage is a positive step for defenders: machine-readable attestations can automate triage and reduce uncertainty. However, this capability is incremental and only as good as the coverage it achieves.

• CSAF/VEX reduces noise when vendors declare per-product exploitability status; automation can demote or mark entries as low priority when a product is marked “Not Affected”.
• VEX rollouts are staged. Microsoft started with Azure Linux and will expand attestations to additional psence of an attestation for a product is not proof of absence of the vulnerability. Teams must therefore retain artifact-level scanning and not rely solely on vendor attestations until coverage is proven.

---

Risk analysis and tradeoffs​

Strengths of Microsoft’s approach​

• Timely, product-specific signal: The Azure Linux attestation gives immediate, actionable guidance to a defined customer base.
• Machine-readable intent: Publishing VEX/CSAF is an industry-best practice that simplifies automation and reduces false positives in orchestration systems. (microsoft.com)

Residual risks​

• Scope misinterpretation: Non-expert readers may misread a single-product attestation as a global claim of exclusivity — leading to missed exposure in other artifacts.
• Transitive and embedded exposures: Automatic updates of top-level dependencies do not always reach nested or embedded occurrences; some vulnerable instances can remain in binary artifacts, CI cache layers, or vendor-provided packages.
• **Patch-or-rebuild frictive dependencies often requires rebuilding images and redeploying; operational delays increase exposure windows.

---

Quick reference — What to tell your Ops and Dev teams right now​

• For Azure Linux operators: apply Microsoft-published patches or rebuild with updated package sets immediately. Treat the MSRC attestation as high-priority guidance.
• For teams that ship Node-based applications, services or container images:
  • Run an SCA scan for follow-redirects and axios occurrences.
  • Upgrade follow-redirects where found or upgrade the consuming package that brings it in transitively.
  • Rebuild and redeploy all images, agents, or application bundles that include the vulnerable component.
• For security teams:
  • Ingest Microsoft’s CSAF/VEX feeds and marry them with your internal inventory, but continue artifact‑level scanning until VEX coverage for your Microsoft product set is complete.

---

Conclusion — a clear operational posture​

Microsoft’s public advisory naming Azure Linux as a product that “includes this open‑source library and is therefore potentially affected” is an important and actionable inventory statement for Azure Linux customers; it tells them to remediate now.
However, that statement is deliberately scoped and does not constitute a proof that no other Microsoft product includes the vulnerable follow-redirects library. Other Microsoft artifacts — agents, containers, SDKs, developer tools, or bundled binaries — could include the same vulnerable transitive dependency. Defenders must therefore combine three things to reduce risk effectively:

• Prioritize and patch Azure Linux immediately per Microsoft’s attestation.
• Perform artifact‑level discovery and remediation across your estate (search, unpack and scan, rebuild, redeploy).
• Ingest and act on Microsoft’s CSAF/VEX attestations as they become available, but treat absent attestations as unverified rather than safe.

In short: treat Microsoft’s attestation as authoritative for the named product and helpful for automation, but don’t let it become an excuse not to inventory and verify other Microsoft artifacts you depend upon.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center