Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Advisories for Npm/Url-Parse package
2022
Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
url-parse Incorrectly parses URLs that include an '@'
A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular, parse("http://@/127.0.0.1") Will return: { slashes: true, protocol: 'http:', hash: '', query: '', pathname: '/127.0.0.1', auth: '', host: '', port: '', hostname: '', password: '', username: '', origin: 'null', href: 'http:///127.0.0.1' } If the 'hostname' or 'origin' attributes of the output from url-parse are …
Authorization Bypass Through User-Controlled Key
An authorization bypass through a user-controlled key was found in url-parse.
2021
URL Redirection to Untrusted Site (Open Redirect)
url-parse is vulnerable to URL Redirection to Untrusted Site
Improper Neutralization
url-parse mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
2020
Improper Input Validation
Insufficient validation and sanitization of user input exists in url-parse npm package may allow attacker to bypass security checks.
2018
URL Redirection to Untrusted Site (Open Redirect)
Incorrect parsing in url-parse returns the wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.