CVE-2020-26291

Improper Input Validation in npm/urijs

Identifier

CVE-2020-26291

Package Slug

npm/urijs

Vulnerability

Improper Input Validation

Description

In URI.js the hostname can be spoofed by using a backslash \ character followed by an at @ character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com\@observed-example.com will incorrectly return observed-example.com if using an affected version.

Affected Versions

All versions before 1.19.4

Solution

Upgrade to version 1.19.4 or above.

Last Modified

2021-01-08

source