Search for packages
| purl | pkg:npm/url-parse@1.1.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8ej8-ebkt-jbgt
Aliases: CVE-2022-0639 GHSA-8v38-pw62-9cw2 |
url-parse Incorrectly parses URLs that include an '@' A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular, ```js parse(\"http://@/127.0.0.1\") ``` Will return: ```yaml { slashes: true, protocol: 'http:', hash: '', query: '', pathname: '/127.0.0.1', auth: '', host: '', port: '', hostname: '', password: '', username: '', origin: 'null', href: 'http:///127.0.0.1' } ``` If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect. |
Affected by 2 other vulnerabilities. |
|
VCID-9z72-97nn-7bcq
Aliases: CVE-2021-27515 GHSA-9m6j-fcg5-2442 |
Affected by 5 other vulnerabilities. |
|
|
VCID-dc9r-szv3-xfbs
Aliases: CVE-2020-8124 GHSA-46c4-8wrp-j99v |
Improper Validation and Sanitization in url-parse Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. |
Affected by 6 other vulnerabilities. |
|
VCID-huzt-k8u7-nqg2
Aliases: CVE-2018-3774 GHSA-pv4c-p2j5-38j4 |
Open Redirect in url-parse Versions of `url-parse` before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities. |
Affected by 7 other vulnerabilities. |
|
VCID-krjz-1bkd-wuhb
Aliases: CVE-2022-0691 GHSA-jf5r-8hm2-f872 |
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect. This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000 url = parse(\"\\bjavascript:alert(1)\") console.log(url) app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ``` |
Affected by 0 other vulnerabilities. |
|
VCID-p8fx-59jj-wkhm
Aliases: CVE-2022-0512 GHSA-rqff-837h-mm52 |
Authorization bypass in url-parse Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6. |
Affected by 3 other vulnerabilities. |
|
VCID-qj9b-d6tc-8qhz
Aliases: CVE-2021-3664 GHSA-hh27-ffr2-f2jc |
Open redirect in url-parse Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. |
Affected by 4 other vulnerabilities. |
|
VCID-v87c-rf2e-syet
Aliases: CVE-2022-0686 GHSA-hgjh-723h-mx2j |
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||