If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a combination of backslash (\) and slash (/) characters as part of the scheme delimiter, e.g. scheme:/\/\/\hostname. If the hostname is used in security decisions, the decision may be incorrect.
Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL: https:/\/\/\expected-example.com/path
Escaped string: https:/\\/\\/\\expected-example.com/path (JavaScript strings must escape backslash)
Affected versions incorrectly return no hostname. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.
Patches
Version 1.19.7 is patched against all known payload variants.
\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.
This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):
Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as http://www.example.com instead. For example, the following will cause a redirect to http://www.example.com: A fix was released in version 1.19.11.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
1.19.6->1.19.11GitHub Vulnerability Alerts
CVE-2021-3647
Impact
If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a combination of backslash (
\) and slash (/) characters as part of the scheme delimiter, e.g.scheme:/\/\/\hostname. If the hostname is used in security decisions, the decision may be incorrect.Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL:
https:/\/\/\expected-example.com/pathEscaped string:https:/\\/\\/\\expected-example.com/path(JavaScript strings must escape backslash)Affected versions incorrectly return no hostname. Patched versions correctly return
expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.Patches
Version 1.19.7 is patched against all known payload variants.
References
https://github.com/medialize/URI.js/releases/tag/v1.19.7 (fix for this particular bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for related bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass) PR #233 (initial fix for backslash handling)
For more information
If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js
Reporter credit
ready-research via https://huntr.dev/
CVE-2022-0613
Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for CVE-2021-3647.
CVE-2022-24723
Impact
Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.
Patches
Patched in 1.19.9
Workarounds
Remove leading whitespace from values before passing them to URI.parse (e.g. via
.href(value)ornew URI(value)), e.g. by usingReferences
For more information
If you have any questions or comments about this advisory:
CVE-2022-0868
urijs prior to version 1.19.10 is vulnerable to open redirect. This is the result of a bypass for the fix to CVE-2022-0613.
CVE-2022-1243
\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.
This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):
CVE-2022-1233
Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as http://www.example.com instead. For example, the following will cause a redirect to http://www.example.com: A fix was released in version 1.19.11.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.