GHSA-8v38-pw62-9cw2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8v38-pw62-9cw2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-8v38-pw62-9cw2/GHSA-8v38-pw62-9cw2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8v38-pw62-9cw2
- Aliases
- Published
- 2022-02-18T00:00:33Z
- Modified
- 2023-11-08T04:07:37.455331Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- url-parse Incorrectly parses URLs that include an '@'
- Details
-
A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular,
parse(\"http://@/127.0.0.1\")Will return:
{ slashes: true, protocol: 'http:', hash: '', query: '', pathname: '/127.0.0.1', auth: '', host: '', port: '', hostname: '', password: '', username: '', origin: 'null', href: 'http:///127.0.0.1' }If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.
- Database specific
{ "nvd_published_at": "2022-02-17T18:15:00Z", "cwe_ids": [ "CWE-639" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-02-22T18:08:05Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-0639
- https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788
- https://github.com/unshiftio/url-parse
- https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
Affected packages
npm / url-parse
Package
- Name
- url-parse
- View open source insights on deps.dev
- Purl
- pkg:npm/url-parse