CVE-2021-3647
SSRF vulnerability in urijs (npm)
What is CVE-2021-3647 About?
In URI.js, specific combinations of backslash and slash characters in the scheme delimiter can lead to hostname spoofing, allowing allow/block list bypasses, SSRF, or open redirects. This vulnerability is moderately easy to exploit by carefully crafting a malicious URL. Its impact can range from data exfiltration to unauthorized resource access.
Affected Software
Technical Details
The vulnerability in URI.js arises from improper parsing of URLs when a combination of backslash (\) and slash (/) characters is used within the scheme delimiter (e.g., scheme:/\/\/\hostname). The affected versions incorrectly determine the hostname, often returning no hostname at all, thereby bypassing security checks that rely on accurate hostname identification. This misinterpretation allows an attacker to construct URLs that appear legitimate to the parsing logic but internally point to an attacker-controlled domain or an unintended internal resource. Consequences include bypassing allow/block lists, facilitating Server-Side Request Forgery (SSRF) to internal networks, or enabling open redirects by deceiving the application about the true destination of a URL.
What is the Impact of CVE-2021-3647?
Successful exploitation may allow attackers to bypass security filters, conduct Server-Side Request Forgery (SSRF), facilitate open redirects, or otherwise deceive the application about URL destinations, leading to unauthorized access or data leakage.
What is the Exploitability of CVE-2021-3647?
Exploitation requires crafting a specific URL with an unusual scheme delimiter, making the complexity moderate. No authentication is typically required, as the vulnerability affects how URLs are parsed. Privilege requirements are low, as a standard user input field that processes URLs could be an attack vector. This is a remote vulnerability, as the malicious URL would be provided to the application. Special conditions involve the application using the affected URI.js library to parse URLs, especially when making security decisions based on the parsed hostname. Risk factors increase significantly in applications that process user-supplied URLs, perform redirects, or implement hostname-based access control.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3647?
About the Fix from Resolved Security
The patch normalizes protocol delimiters in URLs by replacing any variant or excessive number of slashes or backslashes following protocol schemes like http, https, ws, wss, and ftp with the standard "://". This prevents attackers from bypassing validation or parsing logic using malformed delimiters, thereby fixing the parsing confusion and open redirect vulnerability described in CVE-2021-3647.
Available Upgrade Options
- urijs
- <1.19.7 → Upgrade to 1.19.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/medialize/URI.js/releases/tag/v1.19.4
- https://github.com/medialize/URI.js/security/advisories/GHSA-89gv-h8wf-cg8r
- https://github.com/medialize/URI.js/releases/tag/v1.19.6
- https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481
- https://huntr.dev/bounties/1625558772840-medialize/URI.js
- https://osv.dev/vulnerability/GHSA-89gv-h8wf-cg8r
- https://github.com/medialize/URI.js/pull/233
- https://huntr.dev/bounties/1625558772840-medialize/URI.js
- https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481
- https://github.com/medialize/URI.js/releases/tag/v1.19.3
What are Similar Vulnerabilities to CVE-2021-3647?
Similar Vulnerabilities: CVE-2019-1010078 , CVE-2020-10711 , CVE-2020-13756 , CVE-2021-23366 , CVE-2021-23358
