url-parse is vulnerable to authorization bypass. The vulnerability exists in Url
function of index.js
because the user name and password are not properly handled which allows a malicious user to modify user information.
github.com/advisories/GHSA-rqff-837h-mm52
github.com/unshiftio/url-parse/blob/master/index.js#L17-L540
github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40
github.com/unshiftio/url-parse/pull/223
huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b
huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b/
lists.debian.org/debian-lts-announce/2023/02/msg00030.html