Improper Input Validation

Affecting url-parse package, versions <1.4.5

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

url-parse is a Small footprint URL parser that works seamlessly across Node.js and browser environments.

Affected versions of this package are vulnerable to Improper Input Validation. When using url-parse in the browser the protocol of the URL returned by the parser is not validated correctly. In the Node.js environment strings like, javascript: return empty strings on the resulting URL object, but in the browser document.location.protocol is used when the provided URL doesn't match the validation expression /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i.

PoC by ronperris

 assume(parse.extractProtocol(' javscript:')).eql({
        slashes: false,
        protocol: '',
        rest: ''
      })

Remediation

Upgrade url-parse to version 1.4.5 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Credit
ronperris
CVE
CVE-2020-8124
CWE
CWE-20
Snyk ID
SNYK-JS-URLPARSE-543307
Disclosed
27 Jan, 2020
Published
27 Jan, 2020