CVE-2020-26291
npm/urijs
Improper Input Validation
In URI.js the hostname can be spoofed by using a backslash \
character followed by an at @
character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com\@observed-example.com
will incorrectly return observed-example.com
if using an affected version.
All versions before 1.19.4
Upgrade to version 1.19.4 or above.
2021-01-08
source |