Version Details and Security Vulnerabilities

📦

amqplib

0.5.4

Comparision Betweeen 0.5.4 and 0.5.3

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

277.45 KB

365.24 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

amqplib

0.5.4

Comparision Betweeen 0.5.4 and 0.5.3

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

277.45 KB

365.24 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.5.4 of the package amqplib.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.5.4 of the package

Summary:

url-parse Incorrectly parses URLs that include an '@'

Details:

A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular,

parse(\"http://@/127.0.0.1\")

Will return:

{
 slashes: true,
 protocol: 'http:',
 hash: '',
 query: '',
 pathname: '/127.0.0.1',
 auth: '',
 host: '',
 port: '',
 hostname: '',
 password: '',
 username: '',
 origin: 'null',
 href: 'http:///127.0.0.1'
 }

If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.

Details about url-parse@1.4.7

Summary:

Path traversal in url-parse

Details:

url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Details about url-parse@1.4.7

Summary:

Authorization Bypass Through User-Controlled Key in url-parse

Details:

url-parse prior to version 1.5.8 is vulnerable to Authorization Bypass Through User-Controlled Key.

Details about url-parse@1.4.7

Summary:

Open redirect in url-parse

Details:

Overview

Affected versions of npm url-parse are vulnerable to URL Redirection to Untrusted Site.

Impact

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Details about url-parse@1.4.7

Summary:

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Details:

Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL.

If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.

This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example:

const parse = require('url-parse')
const express = require('express')
const app = express()
const port = 3000

url = parse(\"\\bjavascript:alert(1)\")

console.log(url)

app.get('/', (req, res) => {
 if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")}
 })

app.listen(port, () => {
 console.log(`Example app listening on port ${port}`)
 })

Details about url-parse@1.4.7

Summary:

Authorization bypass in url-parse

Details:

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Details about url-parse@1.4.7

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.5.4 of the package amqplib.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.5.4 of the package

Summary:

url-parse Incorrectly parses URLs that include an '@'

Details:

A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular,

parse(\"http://@/127.0.0.1\")

Will return:

{
 slashes: true,
 protocol: 'http:',
 hash: '',
 query: '',
 pathname: '/127.0.0.1',
 auth: '',
 host: '',
 port: '',
 hostname: '',
 password: '',
 username: '',
 origin: 'null',
 href: 'http:///127.0.0.1'
 }

Details about url-parse@1.4.7

Summary:

Path traversal in url-parse

Details:

url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Details about url-parse@1.4.7

Summary:

Authorization Bypass Through User-Controlled Key in url-parse

Details:

url-parse prior to version 1.5.8 is vulnerable to Authorization Bypass Through User-Controlled Key.

Details about url-parse@1.4.7

Summary:

Open redirect in url-parse

Details:

Overview

Affected versions of npm url-parse are vulnerable to URL Redirection to Untrusted Site.

Impact

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Details about url-parse@1.4.7

Summary:

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Details:

If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.

This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example:

const parse = require('url-parse')
const express = require('express')
const app = express()
const port = 3000

url = parse(\"\\bjavascript:alert(1)\")

console.log(url)

app.get('/', (req, res) => {
 if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")}
 })

app.listen(port, () => {
 console.log(`Example app listening on port ${port}`)
 })

Details about url-parse@1.4.7

Summary:

Authorization bypass in url-parse

Details:

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Details about url-parse@1.4.7

Version Details and Security Vulnerabilities

amqplib

Comparision Betweeen 0.5.4 and 0.5.3

Security Vulnerabilities

Version Details and Security Vulnerabilities

amqplib

Comparision Betweeen 0.5.4 and 0.5.3

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Overview

Impact

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Overview

Impact

Version Details and Security Vulnerabilities

amqplib

Comparision Betweeen 0.5.4 and 0.5.3

Security Vulnerabilities

Version Details and Security Vulnerabilities

amqplib

Comparision Betweeen 0.5.4 and 0.5.3

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

url-parse@1.4.7 GHSA-8v38-pw62-9cw2 6.5

url-parse@1.4.7 GHSA-9m6j-fcg5-2442 5.3

url-parse@1.4.7 GHSA-hgjh-723h-mx2j 9.1

url-parse@1.4.7 GHSA-hh27-ffr2-f2jc 6.1

Overview

Impact

url-parse@1.4.7 GHSA-jf5r-8hm2-f872 6.5

url-parse@1.4.7 GHSA-rqff-837h-mm52 5.3

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

url-parse@1.4.7 GHSA-8v38-pw62-9cw2 6.5

url-parse@1.4.7 GHSA-9m6j-fcg5-2442 5.3

url-parse@1.4.7 GHSA-hgjh-723h-mx2j 9.1

url-parse@1.4.7 GHSA-hh27-ffr2-f2jc 6.1

Overview

Impact

url-parse@1.4.7 GHSA-jf5r-8hm2-f872 6.5

url-parse@1.4.7 GHSA-rqff-837h-mm52 5.3