GHSA-3329-pjwv-fjpg

Source
https://github.com/advisories/GHSA-3329-pjwv-fjpg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-3329-pjwv-fjpg/GHSA-3329-pjwv-fjpg.json
Aliases
Published
2020-12-30T23:40:48Z
Modified
2023-11-08T04:03:18.208605Z
Details

Impact

If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: https://expected-example.com\@observed-example.com Escaped string: https://expected-example.com\\@observed-example.com (JavaScript strings must escape backslash)

Affected versions incorrectly return observed-example.com. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Patches

Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.

References

https://github.com/medialize/URI.js/releases/tag/v1.19.4 (complete fix for this bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.3 (partial fix for this bypass) PR #233 (initial fix for backslash handling)

For more information

If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

Reporter credit

Alesandro Ortiz

References

Affected packages

npm / urijs

Package

Name
urijs

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.19.4