urijs@1.19.6 vulnerabilities

URI.js is a Javascript library for working with URLs.

Direct Vulnerabilities

Known vulnerabilities in the urijs package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in the URI.parse() function, which makes it possible to use \r, \n\, and \t characters.

How to fix Cross-site Scripting (XSS)?

Upgrade urijs to version 1.19.11 or higher.

<1.19.11
  • M
Misinterpretation of Input

urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Misinterpretation of Input when parsing a URL without a scheme and with excessive slashes.

How to fix Misinterpretation of Input?

Upgrade urijs to version 1.19.11 or higher.

<1.19.11
  • M
Open Redirect

urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Open Redirect by bypassing the fix for CVE-2022-0613 an attacker is still able to redirect.

How to fix Open Redirect?

Upgrade urijs to version 1.19.10 or higher.

<1.19.10
  • M
Improper Input Validation

urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Improper Input Validation due to a possible bypass to the protocol validation, using leading whitespaces.

How to fix Improper Input Validation?

Upgrade urijs to version 1.19.9 or higher.

<1.19.9
  • M
Open Redirect

urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Open Redirect. An attacker can use case-insensitive protocol schemes in order to bypass the patch to CVE-2021-3647.

How to fix Open Redirect?

Upgrade urijs to version 1.19.8 or higher.

<1.19.8
  • M
Open Redirect

urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Open Redirect. It mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers usually accept backslashes after the protocol, and treat it as a normal slash.

PoC

var URI = require('urijs');
var url = new URI("https:/\/\/\www.google.com");
console.log(url);  // Which will return -->  path: "/www.google.com"

How to fix Open Redirect?

Upgrade urijs to version 1.19.7 or higher.

<1.19.7
  • H
Prototype Pollution

urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Prototype Pollution via parseQuery().

How to fix Prototype Pollution?

Upgrade urijs to version 1.19.7 or higher.

<1.19.7