All the vulnerabilities related to the version 1.18.12 of the package
Hostname spoofing via backslashes in URL
If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.
Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL: https://expected-example.com\@observed-example.com
Escaped string: https://expected-example.com\\@observed-example.com (JavaScript strings must escape backslash)
Affected versions incorrectly return observed-example.com. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.
Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.
https://github.com/medialize/URI.js/releases/tag/v1.19.4 (complete fix for this bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.3 (partial fix for this bypass) PR #233 (initial fix for backslash handling)
If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js
URIjs Hostname spoofing via backslashes in URL
If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, the decision may be incorrect.
Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL: https:/\expected-example.com/path
Escaped string: https:/\\expected-example.com/path (JavaScript strings must escape backslash)
Affected versions incorrectly return no hostname. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.
Version 1.19.6 is patched against all known payload variants.
https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for this particular bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass) PR #233 (initial fix for backslash handling)
If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js
Yaniv Nizry from the CxSCA AppSec team at Checkmarx
URIjs Vulnerable to Hostname spoofing via backslashes in URL
If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a combination of backslash (\) and slash (/) characters as part of the scheme delimiter, e.g. scheme:/\/\/\hostname. If the hostname is used in security decisions, the decision may be incorrect.
Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL: https:/\/\/\expected-example.com/path
Escaped string: https:/\\/\\/\\expected-example.com/path (JavaScript strings must escape backslash)
Affected versions incorrectly return no hostname. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.
Version 1.19.7 is patched against all known payload variants.
https://github.com/medialize/URI.js/releases/tag/v1.19.7 (fix for this particular bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for related bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass) PR #233 (initial fix for backslash handling)
If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js
ready-research via https://huntr.dev/
Authorization Bypass Through User-Controlled Key in urijs
Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for CVE-2021-3647.
Leading white space bypasses protocol validation
Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.
Patched in 1.19.9
Remove leading whitespace from values before passing them to URI.parse (e.g. via .href(value) or new URI(value)), e.g. by using
function remove_whitespace(url){
const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
url = url.replace(whitespace, '')
return url
}
If you have any questions or comments about this advisory:
Open Redirect in urijs
urijs prior to version 1.19.10 is vulnerable to open redirect. This is the result of a bypass for the fix to CVE-2022-0613.
Incorrect protocol extraction via \r, \n and \t characters
\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.
This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):
const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000
input = "ja\r\nvascript:alert(1)"
url = parse(input)
console.log(url)
app.get('/', (req, res) => {
if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")}
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
URL Confusion When Scheme Not Supplied in medialize/uri.js
Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as http://www.example.com instead. For example, the following will cause a redirect to http://www.example.com: A fix was released in version 1.19.11.