GHSA-8v38-pw62-9cw2

Suggest an improvement
Source
https://github.com/advisories/GHSA-8v38-pw62-9cw2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-8v38-pw62-9cw2/GHSA-8v38-pw62-9cw2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8v38-pw62-9cw2
Aliases
Published
2022-02-18T00:00:33Z
Modified
2023-11-08T04:07:37.455331Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
url-parse Incorrectly parses URLs that include an '@'
Details

A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular,

parse(\"http://@/127.0.0.1\")

Will return:

{
 slashes: true,
 protocol: 'http:',
 hash: '',
 query: '',
 pathname: '/127.0.0.1',
 auth: '',
 host: '',
 port: '',
 hostname: '',
 password: '',
 username: '',
 origin: 'null',
 href: 'http:///127.0.0.1'
 }

If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.

References

Affected packages

npm / url-parse

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.7