CVE-2021-27515
URI Mishandling vulnerability in url-parse (npm)
What is CVE-2021-27515 About?
This vulnerability in url-parse before version 1.5.0 involves mishandling of backslashes in URIs, causing the URI to be interpreted as a relative path. This can lead to security bypasses or incorrect resource loading. Exploitation is relatively straightforward if an attacker can control URI input.
Affected Software
Technical Details
The url-parse library, specifically versions prior to 1.5.0, incorrectly processes URIs that contain backslashes, such as http:\/, instead of forward slashes. This improper parsing mechanism causes the URI to be erroneously interpreted as a relative path rather than its intended absolute or network-based form. For example, a URI like http:\/example.com might be treated as a relative path within the current context, rather than an external HTTP resource. This misinterpretation can lead to path traversal issues, allowing attackers to access local resources, or could lead to security bypasses if URL validation mechanisms fail to correctly resolve the intended destination, potentially redirecting to an attacker-controlled resource or unintended internal path.
What is the Impact of CVE-2021-27515?
Successful exploitation may allow attackers to bypass URL validation, achieve incorrect resource resolution, or potentially lead to path traversal, resulting in disclosure of local files or redirection to malicious sites.
What is the Exploitability of CVE-2021-27515?
Exploitation of this vulnerability is relatively straightforward, requiring an attacker to be able to supply malformed URIs containing backslashes to an application using the vulnerable url-parse library. No specific authentication or privilege requirements are mentioned, suggesting it could be exploitable remotely if the application processes user-supplied URLs. The primary condition is that the application must use url-parse in a context where external input influences URI parsing. Risk factors include applications that dynamically generate or process URLs from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27515?
About the Fix from Resolved Security
The patch updates the URL parsing logic to treat both forward slashes and backslashes as valid separators after the protocol, addressing logic that previously failed to recognize URLs with backslashes as absolute URLs. This prevents attackers from bypassing host or protocol validation by inserting a backslash (e.g., http:\evil.com)—a core issue in CVE-2021-27515, where url-parse could misinterpret such inputs as relative paths and thus allow malicious external URLs through. By normalizing the handling of slashes and enforcing leading slashes in pathnames, the patch ensures accurate and secure host/protocol extraction in line with browser behavior.
Available Upgrade Options
- url-parse
- <1.5.0 → Upgrade to 1.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://advisory.checkmarx.net/advisory/CX-2021-4306
- https://github.com/unshiftio/url-parse
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://github.com/unshiftio/url-parse/pull/197
- https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0
- https://osv.dev/vulnerability/GHSA-9m6j-fcg5-2442
- https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0
- https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0
What are Similar Vulnerabilities to CVE-2021-27515?
Similar Vulnerabilities: CVE-2020-11022 , CVE-2019-11358 , CVE-2018-12020 , CVE-2017-1000045 , CVE-2016-10763
