url-parse is vulnerable to authorization bypass. Because the library does not properly validate the hostname
in the toString
function of index.js
, an attacker can redirect to malicious URLs using the user-controlled key when no port number is specified in the URL.