VulnerableCode Package Details - pkg:npm/url-parse@1.5.9

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-c1dy-p3tz-dbcs	url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect. This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000 url = parse(\"\\bjavascript:alert(1)\") console.log(url) app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ```	CVE-2022-0691 GHSA-jf5r-8hm2-f872

Vulnerability

Summary

Aliases

VCID-c1dy-p3tz-dbcs

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect. This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000 url = parse(\"\\bjavascript:alert(1)\") console.log(url) app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ```

CVE-2022-0691
GHSA-jf5r-8hm2-f872

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T21:20:19.301149+00:00	GHSA Importer	Fixing	VCID-c1dy-p3tz-dbcs	https://github.com/advisories/GHSA-jf5r-8hm2-f872	38.6.0
2026-06-04T17:50:17.270562+00:00	GithubOSV Importer	Fixing	VCID-c1dy-p3tz-dbcs	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-jf5r-8hm2-f872/GHSA-jf5r-8hm2-f872.json	38.6.0
2026-06-02T04:41:39.837978+00:00	GitLab Importer	Fixing	VCID-c1dy-p3tz-dbcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/url-parse/CVE-2022-0691.yml	38.6.0