VulnerableCode Package Details - pkg:npm/url-parse@1.5.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-c1dy-p3tz-dbcs Aliases: CVE-2022-0691 GHSA-jf5r-8hm2-f872	url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect. This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000 url = parse(\"\\bjavascript:alert(1)\") console.log(url) app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ```	1.5.9 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-c1dy-p3tz-dbcs
Aliases:
CVE-2022-0691
GHSA-jf5r-8hm2-f872

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect. This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000 url = parse(\"\\bjavascript:alert(1)\") console.log(url) app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ```

1.5.9
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-91bh-dzjq-xbev	Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.	CVE-2022-0686 GHSA-hgjh-723h-mx2j

Vulnerability

Summary

Aliases

VCID-91bh-dzjq-xbev

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

CVE-2022-0686
GHSA-hgjh-723h-mx2j

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T01:31:03.309028+00:00	GitLab Importer	Affected by	VCID-c1dy-p3tz-dbcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/url-parse/CVE-2022-0691.yml	38.6.0
2026-06-05T21:20:19.171870+00:00	GHSA Importer	Fixing	VCID-91bh-dzjq-xbev	https://github.com/advisories/GHSA-hgjh-723h-mx2j	38.6.0
2026-06-04T17:51:10.255373+00:00	GithubOSV Importer	Fixing	VCID-91bh-dzjq-xbev	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-hgjh-723h-mx2j/GHSA-hgjh-723h-mx2j.json	38.6.0
2026-06-02T04:41:39.342510+00:00	GitLab Importer	Fixing	VCID-91bh-dzjq-xbev	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/url-parse/CVE-2022-0686.yml	38.6.0