CVE-2021-3664
URL Redirection to Untrusted Site vulnerability in url-parse (npm)
What is CVE-2021-3664 About?
This vulnerability in the `url-parse` npm package allows for URL Redirection to an Untrusted Site. It can lead to various attacks, including allow/block list bypasses, Server-Side Request Forgery (SSRF) attacks, and open redirects. Exploitation can occur if the library's output is used in contexts like redirects or resource fetching.
Affected Software
Technical Details
The url-parse npm package, in affected versions, improperly handles certain URL constructions, leading to a URL Redirection to Untrusted Site vulnerability. This means that the parsing logic can be tricked into generating a URL that, when subsequently used for redirection or resource fetching, points to an attacker-controlled domain despite appearing legitimate. This can bypass security checks designed to prevent redirects to untrusted sites or to restrict server-side requests (SSRF), allowing the attacker to redirect users to phishing sites or induce the server to make requests to internal network resources on their behalf.
What is the Impact of CVE-2021-3664?
Successful exploitation may allow attackers to conduct phishing attacks, bypass security controls, perform SSRF attacks, or achieve other undesired behavior leading to data exposure or system compromise.
What is the Exploitability of CVE-2021-3664?
Exploitation of this vulnerability is of moderate complexity. It requires no specific authentication or elevated privileges. The attack is remote, contingent on a user interacting with an application that uses the vulnerable url-parse library in a context where its output is used for URL redirection or resource fetching. The primary prerequisite is that the application trusts and acts upon URLs that have been parsed by the vulnerable library, particularly when these URLs originate from or can be influenced by untrusted user input. The likelihood of exploitation increases if the application implements 'allow' or 'block' lists for URLs, as this vulnerability might allow for bypasses.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3664?
About the Fix from Resolved Security
The patch refines URL parsing to correctly distinguish between "special" schemes (like http, https, file, etc.) and others, adjusting how slashes and paths are handled based on the protocol type. This change prevents ambiguous or maliciously crafted URLs from being parsed incorrectly, thereby fixing CVE-2021-3664, an issue where hostile input could bypass restrictions or security logic by exploiting flawed parsing of slashes, protocol, or origins.
Available Upgrade Options
- url-parse
- <1.5.2 → Upgrade to 1.5.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://github.com/unshiftio/url-parse/issues/206
- https://nvd.nist.gov/vuln/detail/CVE-2021-3664
- https://huntr.dev/bounties/1625557993985-unshiftio/url-parse
- https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0
- https://osv.dev/vulnerability/GHSA-hh27-ffr2-f2jc
- https://github.com/unshiftio/url-parse
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://github.com/unshiftio/url-parse/issues/205
- https://huntr.dev/bounties/1625557993985-unshiftio/url-parse
What are Similar Vulnerabilities to CVE-2021-3664?
Similar Vulnerabilities: CVE-2023-49080 , CVE-2023-47038 , CVE-2023-37903 , CVE-2023-36662 , CVE-2023-35805
