Lucene search
GoogleOSV:GHSA-8V38-PW62-9CW2HistoryFeb 18, 2022 - 12:00 a.m.
url-parse Incorrectly parses URLs that include an '@'
2022-02-1800:00:33
Google
osv.dev
17
0.001 Low
EPSS
Percentile
40.5%
A specially crafted URL with an ‘@’ sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular,
parse(\"http://@/127.0.0.1\")
Will return:
{
slashes: true,
protocol: 'http:',
hash: '',
query: '',
pathname: '/127.0.0.1',
auth: '',
host: '',
port: '',
hostname: '',
password: '',
username: '',
origin: 'null',
href: 'http:///127.0.0.1'
}
If the ‘hostname’ or ‘origin’ attributes of the output from url-parse are used in security decisions and the final ‘href’ attribute of the output is then used to make a request, the decision may be incorrect.
Related
redhatcve
redhatcve
CVE-2022-0639
2022-02-23 12:17:58
osv
osv
CVE-2022-0639
2022-02-17 18:15:08
node-url-parse - security update
2023-02-23 00:00:00
node-url-parse vulnerabilities
2023-03-27 14:59:16
github
github
url-parse Incorrectly parses URLs that include an '@'
2022-02-18 00:00:33
veracode
veracode
Authorization Bypass
2022-02-18 13:09:51
prion
prion
Authorization
2022-02-17 18:15:00
nvd
nvd
CVE-2022-0639
2022-02-17 18:15:08
huntr
huntr
in unshiftio/url-parse
2022-02-14 06:51:38
debiancve
debiancve
CVE-2022-0639
2022-02-17 18:15:08
cve
cve
CVE-2022-0639
2022-02-17 18:15:08
ubuntucve
ubuntucve
CVE-2022-0639
2022-02-17 00:00:00
cvelist
cvelist
nessus
nessus
Debian DLA-3336-1 : node-url-parse - LTS security update
2023-02-23 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-3336-1)
2023-02-23 00:00:00
Ubuntu: Security Advisory (USN-5973-1)
2023-03-28 00:00:00
debian
debian
[SECURITY] [DLA 3336-1] node-url-parse security update
2023-02-23 00:55:13
ubuntu
ubuntu
url-parse vulnerabilities
2023-03-27 00:00:00
ibm
ibm
redhat
redhat