Open Redirect in url-parse

2018-08-1315:02:15

CWE-425

GitHub Advisory Database

github.com

0.003 Low

EPSS

Percentile

70.3%

JSON

Versions of url-parse before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities.

Recommendation

Update to version 1.4.3 or later.

CPENameOperatorVersion
url-parselt1.4.3

CPE	Name	Operator	Version
	url-parse	lt	1.4.3

References

github.com/advisories/GHSA-pv4c-p2j5-38j4

github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a

github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de

hackerone.com/reports/384029

nvd.nist.gov/vuln/detail/CVE-2018-3774

www.npmjs.com/advisories/678

0.003 Low

EPSS

Percentile

70.3%

JSON

Related for GHSA-PV4C-P2J5-38J4