parse-url is vulnerable to hostname spoofing. The vulnerability exists because the parseUrl
function of index.js
does not properly identify the custom user in ssh url and hostname, allowing an attacker to gain sensitive information by redirecting to the malicious urls.
github.com/advisories/GHSA-pqw5-jmp5-px4v
github.com/IonicaBizau/parse-url/commit/9500430a3b9973bb1b5b2b9b319af2685ad272b3
github.com/ionicabizau/parse-url/commit/9cacf38de02db0fb1358bd6ec04543e523cd6a8e
github.com/IonicaBizau/parse-url/pull/60
huntr.dev/bounties/3587a567-7fcd-4702-b7c9-d9ca565e3c62
huntr.dev/bounties/3587a567-7fcd-4702-b7c9-d9ca565e3c62/