CVE-2021-27516
URL Spoofing vulnerability in urijs (npm)
What is CVE-2021-27516 About?
This vulnerability allows URL hostname spoofing in affected versions of a URL parsing library when a backslash is used in the scheme delimiter. This can lead to incorrect security decisions if the hostname is used for allow/block lists. Exploitation is relatively easy by crafting a specific URL.
Affected Software
Technical Details
The vulnerability exists in a URL parsing library (likely URI.js based on context) where the logic to determine a URL's hostname incorrectly handles a backslash (\) character within the scheme delimiter (e.g., https:\/\expected-example.com/path). This malformed URL causes the parser to fail to extract the correct hostname or return an empty hostname. As a result, if an application relies on this parser's output for security decisions, such as allowlisting or blocklisting, it may make an incorrect decision, leading to bypasses, SSRF, or open redirects.
What is the Impact of CVE-2021-27516?
Successful exploitation may allow attackers to bypass security restrictions, perform Server-Side Request Forgery (SSRF) attacks, or execute open redirects.
What is the Exploitability of CVE-2021-27516?
Exploitation is of low complexity and requires no authentication or special privileges. The attack is remote, as it involves crafting a malicious URL that an application using the vulnerable library will process. The primary prerequisite is that the application uses an affected version of the library and relies on the parsed hostname for security-sensitive operations. The risk factors include web applications that parse user-supplied URLs for redirection, fetching content, or access control, as these are direct vectors for hostname spoofing and subsequent attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27516?
About the Fix from Resolved Security
The patch ensures that backslashes in URLs are normalized to forward slashes when parsing the protocol section, preventing crafted URLs like https:\attacker.com from being interpreted incorrectly. This fixes CVE-2021-27516 by blocking an attacker from bypassing security checks that rely on correct protocol and authority parsing, mitigating potential spoofing or open redirect vulnerabilities.
Available Upgrade Options
- urijs
- <1.19.6 → Upgrade to 1.19.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839
- https://advisory.checkmarx.net/advisory/CX-2021-4305
- https://github.com/medialize/URI.js/releases/tag/v1.19.6
- https://github.com/medialize/URI.js
- https://github.com/medialize/URI.js/security/advisories/GHSA-p6j9-7xhc-rhwp
- https://osv.dev/vulnerability/GHSA-p6j9-7xhc-rhwp
- https://github.com/medialize/URI.js/releases/tag/v1.19.6
- https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839
- https://nvd.nist.gov/vuln/detail/CVE-2021-27516
- https://advisory.checkmarx.net/advisory/CX-2021-4305
What are Similar Vulnerabilities to CVE-2021-27516?
Similar Vulnerabilities: CVE-2020-7767 , CVE-2020-8174 , CVE-2021-20078 , CVE-2021-23424 , CVE-2021-27532
