CVE-2020-26291
URL Spoofing vulnerability in urijs (npm)
What is CVE-2020-26291 About?
This vulnerability affects `URI.js` (medialize/URI.js) in versions prior to 1.19.4 for determining a URL's hostname. It allows URL spoofing using a backslash (`\`) followed by an at (`@`) character, potentially leading to allow/block list bypasses, SSRF, or open redirects, and is relatively easy to exploit with crafted URLs.
Affected Software
Technical Details
The URI.js library, in versions before 1.19.4, is vulnerable to URL spoofing when determining a URL's hostname. The parsing logic incorrectly handles a backslash character (\) followed by an at symbol (@) within a URL. For example, in a URL like https://expected-example.com\@observed-example.com, the library incorrectly identifies observed-example.com as the hostname instead of expected-example.com. This bypasses the intended security checks, as the application would act on observed-example.com while believing it is interacting with expected-example.com. This incorrect hostname resolution can be exploited to bypass allow/block lists, facilitate Server-Side Request Forgery (SSRF) attacks, enable open redirects, or lead to other undesired behaviors depending on how the application uses the resolved hostname.
What is the Impact of CVE-2020-26291?
Successful exploitation may allow attackers to bypass security controls (e.g., allow/block lists), perform Server-Side Request Forgery (SSRF), facilitate open redirects, or cause other undesired behavior.
What is the Exploitability of CVE-2020-26291?
Exploitation of this URL spoofing vulnerability is of low complexity. An attacker simply needs to provide a specially crafted URL that is processed by a vulnerable version of URI.js. No authentication is required to submit the malicious URL if the application processes external URL inputs. This is a remote attack vector. There are no special privilege requirements, as the attack leverages a flaw in URL parsing logic. The primary prerequisite is that the application uses affected versions of URI.js and performs security-sensitive decisions based on hostname extraction. The likelihood of exploitation is high in applications that handle user-supplied URLs for navigation, external resource loading, or security checks without proper validation against the WHATWG URL specification.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-26291?
About the Fix from Resolved Security
The patch prevents crafted URLs with backslashes in the authority section from being misinterpreted, which previously allowed attackers to trick the parser into treating part of the path as the authority by substituting backslashes for slashes. By replacing backslashes with slashes before parsing userinfo, it ensures consistent, standards-compliant behavior and neutralizes the confusion exploited in CVE-2020-26291 (authentication and host header injection).
Available Upgrade Options
- urijs
- <1.19.4 → Upgrade to 1.19.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg
- https://github.com/medialize/URI.js/releases/tag/v1.19.4
- https://nvd.nist.gov/vuln/detail/CVE-2020-26291
- https://www.npmjs.com/package/urijs
- https://www.npmjs.com/advisories/1595
- https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155
- https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg
- https://github.com/medialize/URI.js/releases/tag/v1.19.4
- https://osv.dev/vulnerability/GHSA-3329-pjwv-fjpg
- https://www.npmjs.com/package/urijs
What are Similar Vulnerabilities to CVE-2020-26291?
Similar Vulnerabilities: CVE-2020-14144 , CVE-2020-15166 , CVE-2020-15165 , CVE-2017-1000101 , CVE-2015-0205
