CVE-2020-26291: Improper Input Validation

December 31, 2020 (updated January 6, 2021)

In URI.js the hostname can be spoofed by using a backslash \ character followed by an at @ character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com\@observed-example.com will incorrectly return observed-example.com if using an affected version.

References

nvd.nist.gov/vuln/detail/CVE-2020-26291

Detect and mitigate CVE-2020-26291 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →