GHSA-jf5r-8hm2-f872

Suggest an improvement
Source
https://github.com/advisories/GHSA-jf5r-8hm2-f872
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-jf5r-8hm2-f872/GHSA-jf5r-8hm2-f872.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jf5r-8hm2-f872
Aliases
Published
2022-02-22T00:00:30Z
Modified
2023-11-08T04:07:38.379085Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.
Details

Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL.

If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.

This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example:

const parse = require('url-parse')
const express = require('express')
const app = express()
const port = 3000

url = parse(\"\\bjavascript:alert(1)\")

console.log(url)

app.get('/', (req, res) => {
 if (url.protocol !== \"javascript:\") {res.send(\"&lt;a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")}
 })

app.listen(port, () => {
 console.log(`Example app listening on port ${port}`)
 })
Database specific
{
    "nvd_published_at": "2022-02-21T09:15:00Z",
    "cwe_ids": [
        "CWE-639"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-01T19:05:20Z"
}
References

Affected packages

npm / url-parse

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.9