Search for packages
| purl | pkg:deb/debian/node-url-parse@1.0.5-2%2Bdeb9u1 |
| Next non-vulnerable version | 1.5.10+~1.4.8-2 |
| Latest non-vulnerable version | 1.5.10+~1.4.8-2 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-257u-qjc4-afdg
Aliases: CVE-2020-8124 GHSA-46c4-8wrp-j99v |
Improper Validation and Sanitization in url-parse Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. |
Affected by 1 other vulnerability. |
|
VCID-2zqx-vwck-4beu
Aliases: CVE-2021-27515 GHSA-9m6j-fcg5-2442 |
Path traversal in url-parse url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path. |
Affected by 1 other vulnerability. |
|
VCID-91bh-dzjq-xbev
Aliases: CVE-2022-0686 GHSA-hgjh-723h-mx2j |
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8. |
Affected by 1 other vulnerability. |
|
VCID-c1dy-p3tz-dbcs
Aliases: CVE-2022-0691 GHSA-jf5r-8hm2-f872 |
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect. This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000 url = parse(\"\\bjavascript:alert(1)\") console.log(url) app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ``` |
Affected by 1 other vulnerability. |
|
VCID-rxnd-sf2e-aqcg
Aliases: CVE-2022-0512 GHSA-rqff-837h-mm52 |
Authorization bypass in url-parse Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6. |
Affected by 1 other vulnerability. |
|
VCID-suhk-1g74-1khf
Aliases: CVE-2018-3774 GHSA-pv4c-p2j5-38j4 |
Open Redirect url-parse package return wrong hostname |
Affected by 7 other vulnerabilities. |
|
VCID-ukj6-rn9c-b7ap
Aliases: CVE-2021-3664 GHSA-hh27-ffr2-f2jc |
Open redirect in url-parse Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. |
Affected by 1 other vulnerability. |
|
VCID-yqx2-x5zq-7qhv
Aliases: CVE-2022-0639 GHSA-8v38-pw62-9cw2 |
url-parse Incorrectly parses URLs that include an '@' A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular, ```js parse(\"http://@/127.0.0.1\") ``` Will return: ```yaml { slashes: true, protocol: 'http:', hash: '', query: '', pathname: '/127.0.0.1', auth: '', host: '', port: '', hostname: '', password: '', username: '', origin: 'null', href: 'http:///127.0.0.1' } ``` If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||